Security firm Qualys has identified a zero-day vulnerability in OpenSSH clients that could allow a malicious server to steal private user keys, according to an eWeek article.
The vulnerability is present in all OpenSSH client versions released since March 7, 2010 (verisioin 5.4 through 7.1)
Since this zero-day vulnerability has had almost six years in the wild, it is very likely to have been exploited already, according to Qualys.
The vulnerability involves experimental code for a feature called “roaming.” Roaming would allow a session to be paused and later resumed from another computer or location.
Roaming is a very popular feature in iTivity where it has been available since its inception in 2002.
In OpenSSH, the server-side code was never completed, but the client-side code was shipped enabled by default. Since the feature was never fully implemented, it was never documented, and users would not know to turn it off.
On January 14, 2016, OpenSSH project released an updated version 7.1p that patches the flaw. In the Qualys advisory, Linux users are urged to update the new client immediately and regenerate all user keys.