CVE-2016-0777 and CVE-2016-0778...oy vey

donmontalvo
Esteemed Contributor III

Doesn't look like 10.11.3 (released today) fix either of these OpenSSH vulnerabilities:

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0777
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0778

EA to identify computers that don't have the fix for /etc/ssh_config or /etc/ssh/ssh_config, hope Apple releases a fix before 10.11.4.

TIA,
Don

--
https://donmontalvo.com
2 REPLIES 2

mthakur
Contributor

Until Apple patches it, this is relatively easy to mitigate. From the OpenSSH advisory:

MITIGATION: For OpenSSH >= 5.4 the vulnerable code in the client can be completely disabled by adding 'UseRoaming no' to the gobal ssh_config(5) file, or to user configuration in ~/.ssh/config, or by passing -oUseRoaming=no on the command line.

donmontalvo
Esteemed Contributor III

Should be pretty easy to see if /etc/ssh_config ior /etc/ssh/ssh_config has "UseRoaming no" and if not, add it. Hoping for a patch though.

--
https://donmontalvo.com