IBM Patches OpenSSH Security Flaws That Impact IBM i
February 8, 2016 Alex Woodie
IBM last week patched another pair of security vulnerabilities in the OpenSSH client for IBM i. The security flaws, which impact all current releases of IBM i–and very likely older releases that are no longer under maintenance–carry a moderate to severe risk, and could be used to execute arbitrary code on an IBM i server, obtain private cryptographic security keys, or execute a denial of service attack, IBM says.
On February 1, IBM issued a security bulletin to address the two flaws in its OpenSSH implementation for IBM i. Both flaws stem from a poor design in the OpenSSH client roaming feature that makes it susceptible to leaking information and buffer overflow attacks.
The first flaw, which is identified as CVE-2016-0777, by the Common Vulnerabilities and Exposures database, carries a CVSS base score of 6.5, which makes it a medium-to-severe threat. The fact that this vulnerability can come across the network, requires no privileges, and is relatively uncouple make this vulnerability potentially dangerous, according to IBM’s X-Force report on the flaw.
This flaw is susceptible to “information leakage” when the contents of a buffer are requested for retransmission. “OpenSSH could allow a remote attacker to obtain sensitive information, caused by a client information leak from using the roaming connection feature,” IBM says. “By persuading a victim to connect to a malicious server, an attacker could exploit this vulnerability to retrieve private cryptographic keys or other sensitive information.”
The second flaw, which is identified as CVE-2016-0778 by the CVE database, carries a CVSS base score of 5, which makes it a medium threat. This score is lower than the first flaw because while this attack does come over the network and doesn’t require privileges on the part of the attacker, it is a relatively complex attack mechanism, according to the X-Force report.
IBM says this flaw makes OpenSSH vulnerable to a heap-based buffer overflow, caused by improper bounds checking by the API. “By persuading a victim to connect to a malicious server, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash,” IBM says.
Like most enterprise IT companies, IBM announced security flaws publicly only after it has patched them, and this time is no different. Big Blue has issued three emergency PTFs to address the problems with the OpenSSH client. The PTF for IBM i version 6.1, 7.1., and 7.2 are SI59305, SI59213, and SI59204, respectively.
OpenSSH was created by the OpenBSD team as an alternative to the original Secure Shell (SSH) software, which is proprietary. OpenSSH and SSH provide encrypted protocols to enable people to remotely log in to servers over unsecured networks. SSH and OpenSSH are often viewed as more secure than SSL (Secure Sockets Layer) and TLS (Transport Layer Security) encryption protocols, and have been widely adopted in recent years. SSL, and in particular OpenSSL, have suffered from security problems recently, in particular the infamous Heartbleed vulnerability that afflicted OpenSSL in 2014 that potentially exposed millions of passwords.
The new OpenSSH flaws impact OpenSSH version 7.1p2, which was released January 14 and addresses the two security flaws in the roaming feature. Apparently, the roaming feature was not a fully supported feature, but somebody found a way to hack it anyway.
To read the IBM security vulnerability, see www-01.ibm.com/support/docview.wss?uid=nas8N1021109.