PAN-SA-2016-0011 OpenSSH vulnerabilities
Description
OpenSSH contains two vulnerabilities (CVE-2016-0777 and CVE-2016-0778) affecting the SSH client roaming feature when connecting to a malicious server. Exploitation of this issue can leak portions of memory from the SSH client process. (Ref # 90508)
The Palo Alto Networks firewall outbound SSH client offers only the user/password authentication scheme and, therefore, does not expose a potential SSH private key.
This issue affects PAN-OS 7.0.9 and earlier; PAN-OS 7.1.2 and earlier
| CVE | CVSS | Summary |
|---|---|---|
| CVE-2016-0777 | 6.5 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) | The resend_bytes function in roaming_common.c in the client in OpenSSH 5.x, 6.x, and 7.x before 7.1p2 allows remote servers to obtain sensitive information from process memory by requesting transmission of an entire buffer, as demonstrated by reading a private key. |
| CVE-2016-0778 | 8.1 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) | The (1) roaming_read and (2) roaming_write functions in roaming_common.c in the client in OpenSSH 5.x, 6.x, and 7.x before 7.1p2, when certain proxy and forward options are enabled, do not properly maintain connection file descriptors, which allows remote servers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact by requesting many forwardings. |
Product Status
| Versions | Affected | Unaffected |
|---|---|---|
| PAN-OS 7.1 | <= 7.1.2 | >= 7.1.3 |
| PAN-OS 7.0 | <= 7.0.9 | >= 7.0.10 |
Severity: HIGH
CVSSv3.0 Base Score: 8.1 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
Weakness Type
CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Solution
PAN-OS 7.0.10 and later; PAN-OS 7.1.3 and later
Workarounds and Mitigations
These vulnerabilities affect PAN-OS only when initiating a connection to a malicious server. Palo Alto Networks discourages establishing SSH sessions to unknown or untrusted servers.