Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-6131: Is the Centrify ssh client affected by OpenSSH vulnerabilities CVE-2016-0777 and CVE-2016-0778?

Authentication Service ,  

12 April,16 at 10:57 AM

Applies To:

Centrify-enabled OpenSSH 5.3.0 and lower on all platforms


Is the ssh client bundled with Centrify-enabled OpenSSH affected by vulnerabilities CVE-2016-0777 and CVE-2016-0778 and if so how are they being addressed?


Vulnerabilities CVE-2016-0777 and CVE-2016-0778 pertain to a concept known as "roaming" on the ssh client side which is enabled by default.  The vulnerability involves the possibility of a rogue server impersonating the original one through an exploit in this roaming feature.  The ssh client is at risk for leaking information.  Since Centrify-enabled OpenSSH does ship with the ssh client we are affected by this vulnerability.  It should be noted that the CVSS score is 4.3 which corresponds to a low risk vulnerability.  

There is a workaround to avoid being impacted by this vulnerability via the following ssh client option:

    UseRoam no in ssh_config or -oUseRoam=no in ssh command line.

These vulnerabilities are being addressed in stock OpenSSH 7.1p2.  Centrify will adopt this version of OpenSSH in the next release of Centrify Server Suite, 2016.1.  

For further reference:

(All external links are provided as a courtesy)


Related Articles

No related Articles