Published on 14 January 2016 by

Earlier today, a new vulnerability advisory for the OpenSSH client was released as CVE-2016-0777 and CVE-2016-0778. The vulnerability is part of the undocumented roaming feature, and opens SSH connections to potential man-in-the-middle attacks. If you’re worried about it, don’t be. Puppet can help you get it addressed in no time.

How to determine vulnerable systems

Puppet Enterprise customers can use MCollective to figure out all the various versions of the openssh-client package on their infrastructure. Run the following command as the peadmin user on the Puppet Enterprise master:

# mco rpc package status package=openssh-clients

An example output will be:

Discovering hosts using the mc method for 2 second(s) .... 3

 * [ ============================================================> ] 3 / 3

master
       Arch: x86_64
     Ensure: 6.4p1-8.el7
      Epoch: 0
       Name: openssh-clients
     Output: nil
   Provider: yum
    Release: 8.el7
    Version: 6.4p1

rhel6.vm
       Arch: x86_64
     Ensure: 5.3p1-104.el6
      Epoch: 0
       Name: openssh-clients
     Output: nil
   Provider: yum
    Release: 104.el6
    Version: 5.3p1

rhel7.vm
       Arch: x86_64
    Ensure: 6.4p1-8.el7
      Epoch: 0
       Name: openssh-clients
     Output: nil
   Provider: yum
    Release: 8.el7
    Version: 6.4p1

Summary of Arch:

   x86_64 = 3

Summary of Ensure:

     6.4p1-8.el7 = 2
   5.3p1-104.el6 = 1

Finished processing 3 / 3 hosts in 156.87 ms

Since the affected versions of the openssh-client are 5.4 through 7.1, we can see we have two systems that are potentially vulnerable. If these systems haven’t explicitly disabled the roaming feature, they are vulnerable.

Remediation

Until all of the distributions have updated their packages with a patch, the easiest way to remediate is to disable the client roaming feature. Luckily, we can easily manage that in Puppet.

Add the herculesteam/augeasproviders_ssh module to your Puppetfile:

mod ‘herculesteam/augeasproviders_ssh’

Now add a resource to your SSH profile that manages the roaming configuration:

ssh_config { ‘UseRoaming’:
  ensure => present,
  value   => ‘no’,
}

Commit that code and promote it to the environments you need to remediate. Use Event Inspection in the Puppet Enterprise GUI to ensure the remediation has been deployed to all the necessary systems.

Please note this setting will affect new client connections and only protects sessions originating from the host with this setting. It's unclear if the attack can be used for current connections.

Updating the package

In addition to disabling the roaming feature, it’s a good idea to keep the openssh client package up to date. If you’re using a Forge module to manage SSH, refer to the module’s documentation on how to define the package version that should be enforced. Otherwise, you can ensure the up-to-date version of the package is installed across vulnerable systems using the package resource:

package { ‘openssh-clients’:
  ensure => ‘6.6.1p1-22’,
}

Please check with your distribution for the proper version.

Carl Caum is a senior technical marketing manager at Puppet Labs.

Share via:
Posted in:
Tagged:

Nice work!

But, what if I don't have a PE installation?

Thanks!

Everything shown here doesn't require PE, except for the bit about using event inspection to verify the remediation. Assuming your use r10k, the Puppetfile addition and Puppet code will work fine with open source. Assuming you have MCollective running, you can use the mco command to inspect your vulnerability state.

The content of this field is kept private and will not be shown publicly.

Restricted HTML

  • Allowed HTML tags: <a href hreflang> <em> <strong> <cite> <blockquote cite> <code> <ul type> <ol start type> <li> <dl> <dt> <dd> <h2 id> <h3 id> <h4 id> <h5 id> <h6 id>
  • Lines and paragraphs break automatically.
  • Web page addresses and email addresses turn into links automatically.