'Serious' security flaw in OpenSSH puts private keys at risk

A security vulnerability found in a widely-used open-source software has been described as "the most serious bug."

A major vulnerability has been found and fixed in OpenSSH, an open-source remote connectivity tool using the Secure Shell protocol. The flaw was the result of an "experimental" feature that allows users to resume connections.

According to a mailing list disclosing the flaw, a malicious server can trick an affected client to leak client memory, including a client's private user keys.

The affected code is enabled by default in OpenSSH client versions 5.4 to 7.1. The matching server code was never shipped, the mailing list said.

The flaw doesn't have a catchy name like some other previous flaws, but disabling client-side roaming support fixes the issue.

A security patch -- version 7.1p2 -- is now available from the project's website.

Release notes for the patch said the information leak is "restricted to connections to malicious or compromised servers."

The flaw, which is said to be years old, was found by Qualys' security advisory team.

Wolfgang Kandek, chief technology officer at Qualys, confirmed in an email that the company disclosed the bugs to the OpenSSH team on January 11, and commended the team for working "incredibly fast" to get a patch out three days later.

The security company later on Thursday published a lengthy post, including a proof-of-concept, effectively lighting a fire under every affected OpenSSH client.

The flaw is thought to be one of the most severe flaws found in the open-source software in years.

Security researcher Kenneth White said in a tweet following the news breaking: "When there's a serious security bug in the remote access tool used by 70-plus-percent of the servers in the world, people sit up and take notice."

The software is also used on many (if not most) commercial routers and firewalls, said White in a follow-up email.

Red Hat, CentOS, and Amazon Linux distributions are "mostly" unaffected by the bug, he said. But not everyone escaped some level of trouble.

Canonical said in an advisory that its Ubuntu operating system, versions 12.04, 1404, 15.04, and 15.10 are affected by the flaw. Red Hat Enterprise Linux (RHEL) versions 4, 5, and 6 are not affected, but some versions of RHEL 7 prior to March 2015 are impacted by the bug.

White said in an email that it's "difficult to say" how big the impact will be.

He said many hundreds of thousands of Linux servers that connect to other systems -- backup servers, for example -- are are at risk of having their SSH admin keys stolen.

"Developers and admins are advised to regenerate and rotate keys to systems they touch, whether for hobby [or] weekend projects, or more sensitive servers -- including Github," he added.

Bottom line? Patch now, and patch fast.

This post has been updated.

These companies lost your data in 2015's biggest hacks, breaches