Openssh 6.7 P1

Posted on  by



  1. Openssh 6.7 P1 Exploit
  2. Openssh 6.7 P1005
  3. Openssh 6.7 P1102w

Many of us developers or system administrators use OpenSSH’s public key authentication (aka password-less login) on a daily basis. The mechanism works based on public key cryptography: By adding a RSA/DSA public key to the authorizedkeys file, the user with the matching private key can login without a password. The mechanism works great for a. OpenSSH 6.7 was released on 2014-10-06. Mirrors listed at OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 implementation and includes sftp client and server support. Once again, we would like to thank the OpenSSH community for their continued support of the project, especially those who contributed. Is an rlogin / rsh-like client program except it uses an encrypted protocol sshd. Is a daemon that listens for ssh login requests ssh-add. Is a tool which adds keys to the ssh-agent. Is an authentication agent that can store private keys ssh-copy-id.

Legend: Spread means how many repository families (e.g. All Debian versions are a single family) contain this package.; newest #repos - newest known version. The number shows how many repository families have this version. Devel - newest known devel (or unstable) version. There may be both devel and newest versions for a given package. Introduction to OpenSSH The OpenSSH package contains ssh clients and the sshd daemon. This is useful for encrypting authentication and subsequent traffic over a network. The ssh and scp commands are secure implementions of telnet and rcp respectively. This package is known to build and work properly using an LFS-7.7 platform.

Table of Contents

  • Overview
  • What is backporting?
  • OpenSSL
  • SSLCipherSuite
  • OpenSSH
  • The SSH daemon
  • Exim
  • Simple Mail Transfer Protocol
  • Backported CVEs
  • FTP
  • TLS
  • Bind
  • BIND CVE-2011-4313
  • Hide the BIND Version
  • Hide the DNS Server Hostname
  • Mailman
  • Insecure Cookie configuration
  • RPC Portmapper

Table of Contents

  • Overview
  • What is backporting?
  • OpenSSL
  • SSLCipherSuite
  • OpenSSH
  • The SSH daemon
  • Exim
  • Simple Mail Transfer Protocol
  • Backported CVEs
  • FTP
  • TLS
  • Bind
  • BIND CVE-2011-4313
  • Hide the BIND Version
  • Hide the DNS Server Hostname
  • Mailman
  • Insecure Cookie configuration
  • RPC Portmapper

Last modified: November 10, 2020

Overview

Most PCI compliance scanning systems use a specific software package version number that contains a reported vulnerability. This document discusses some of the specific software packages that contain known vulnerabilities. This document will also help you determine whether developers used the backport process to patch a software package.

The system transmits insecure cookies when a previous set of cookies expire. Insecure cookies replace any invalid cookies and help ensure that a cPanel & WHM login does not result in a redirect loop. For PCI compliance, the system reports this as a false positive because the system requires a secure SSL connection.

What is backporting?

The backport process allows the operating system vendor to change only the parts of the software that the security vulnerability affected. In this way, it avoids the introduction of new features that the developers did not test. This process does not increment the version number. Instead, the developers attach a flag to the package.

Operating system developers often backport updates to avoid the need to distribute a new version of the software package.

5+deb8u4

For example, an operating system developer may combine OpenSSL 0.9.7c with a patch from OpenSSL 0.9.7.d to create OpenSSL 0.9.7c-2. If most PCI scanning systems look for OpenSSL version 0.9.7d or higher, they may incorrectly show OpenSSL 0.9.7c-2 as vulnerable. In this case, you would inform the PCI compliance company that you use a backported version of the software package, which its developers patched for the vulnerability. Your PCI compliance company can then record your software version and mark a false positive in the scan results.

OpenSSL

Many different system services and packages use OpenSSL. To check your OpenSSL installation for backporting, perform the following steps:

  1. Determine which OpenSSL package exists on your system. To do this, run the following command:

    The following example output indicates that your server runs version openssl-0.9.8e-36 of OpenSSL:

  2. To check the RPM change log for vulnerability fixes that the version includes, run the following command:

  3. The RPM change log may include fixes for the CVEs that your PCI compliance scanning company requires. If these fixes appear, inform them of the patched version and which CVEs it includes so that they can mark it as a false positive.

SSLCipherSuite

The SSLCipherSuite directive in the Global Configuration section of WHM’s Apache Configuration interface (WHM >> Home >> Service Configuration >> Apache Configuration) defaults to a PCI-compliant value as of cPanel & WHM version 66.

If you want to adjust the SSLCipherSuite directive, we recommend that you generate a Cipher configuration with Mozilla’s SSL configuration generator.

If you have adjusted the SSLCipherSuite directive’s value and the PCI compliance scans of port 443 do not pass, reset the SSLCipherSuite directive in the Global Configuration section of WHM’s Apache Configuration interface (WHM >> Home >> Service Configuration >> Apache Configuration) to the default setting.

OpenSSH

To determine which OpenSSH package exists on your system, run the following command:

The output may resemble the following example:

This output indicates that openssh-5.3pl-94.e16 exists as your OpenSSH version. This OpenSSH version may result in a PCI scan that returns the following two vulnerabilities:

  • OpenSSH J-PAKE Session Key Retrieval Vulnerability — This issue does not affect OpenSSH as shipped with RedHat Enterprise Linux® (RHEL) versions 6 and 7. For more information, read CVE-2010-4478 on RedHat’s web site.

  • OpenSSH 'child_set_env()' Security Bypass Issue — This issue minimally impacts security and does not pose a severe risk to most systems. Even though this OpenSSH version 6.6 addressed this issue, the RHEL repositories do not contain this updated version. If you wish to update OpenSSH to the new version, you must install it manually.

If the OpenSSH package 6.6.1p1-35.el7_3 exists on your server, your output will resemble the following example:

Exploit

This OpenSSH package contains a vulnerability that affects the way it handles authentication by users who do not exist on the system. To mitigate this issue, enable the Security-Enhanced Linux (SELinux) security module that ships with RHEL versions 6 and 7.

For more information about this vulnerability, read CVE-2016-6210 on RedHat’s Website.

The SSH daemon

PCI compliance requires the SSH daemon (sshd) to support strong hashtag algorthms. When reviewing a PCI scan, one of the common issues is that the SSHD supports weak hashing algorithms. More often than not, this issue can occur when a server is using the default SSHD settings. To solve this issue, perform the following steps:

  1. Log in to the server as the root user via SSH.

  2. Open the /etc/ssh/sshd_config file with a text editor.

  3. Add the following lines to the file:

  4. Restart the SSH daemon. To do this, run the following command:

  5. Rescan your server with your account on the PCI company’s website.

Exim

cPanel & WHM includes patches that help to make Exim PCI-compliant. The RPM change log includes information about these patches.

Simple Mail Transfer Protocol

PCI Compliance requires email client encryption. Your email client provides SSL and TLS encryption. To confirm your server’s SMTP transactions remain encrypted, perform the following steps as the root user:

  1. Navigate to the Exim Configuration Manager interface (WHM >> Home >> Service Configuration >> Exim Configuration Manager).

  2. Enable the Require clients to connect with SSL or issue the STARTTLS command before they are allowed to authenticate with the server. option.

    As of cPanel & WHM version 66, this option defaults to On.

  3. Click Save.

  4. Navigate to the Mailserver Configuration interface (WHM >> Home >> Service Configuration >> Mailserver Configuration)

  5. Set the Allow Plaintext Authentication (from remote clients) option to No.

  6. Click Save.

Backported CVEs

To view the CVE-related fixes in your version of Exim, run the following command:

The output will display the CVE number, for example:

To report the CVE fixes that your Exim installation includes, send the output that reflects the patched software to your PCI scanning company.

Openssh 6.7 P1 Exploit

FTP

We strongly recommend that you disable FTP services and use SFTP, SCP, or WebDisk for file transfers.

If you cannot disable FTP services, we recommend that you use WHM’s FTP Server Selection interface (WHM >> Home >> Service Configuration >> FTP Server Selection) to configure your server to use ProFTPD.

Then, use WHM’s FTP Server Configuration interface (WHM >> Home >> Service Configuration >> FTP Server Configuration) to configure ProFTPD to use to use the following TLS cipher suite:

TLS

PCI compliance requires that your server run TLS version 1.2 or greater. For more information, read the Security Standards Council’s® Date Change for Migrating from SSL and Early TLS article and our deprecated documentation.

Bind

Although cPanel & WHM does not create BIND, all cPanel & WHM servers servers include BIND by default. Vendor updates will typically resolve PCI compliance issues.

BIND CVE-2011-4313

The BIND change log does not show CVE-2011-4313 directly. Instead, the change log shows under RHEL #754398.

Run the following command to test for the presence of this fix:

Your output should resemble the following example:

To report the CVE fixes that your BIND installation includes, send the output that reflects the patched software to the PCI scanning company.

Hide the BIND Version

To become PCI compliant, you must hide the BIND version on your server.

To do this, perform the following steps:

  1. Connect to the server via SSH as the root user.

  2. Edit the /etc/named.conf file and add the following line of code to the options section:

  3. Use the following command to restart BIND:

  4. Rescan your server with your account on the PCI company’s website.

Hide the DNS Server Hostname

To become PCI compliant, you must hide your DNS server’s hostname.

Openssh 6.7 P1

To do this, perform the following steps:

  1. Connect to the server via SSH as the root user.

  2. Edit /etc/named.conf and add the following line of code to the options section:

  3. Use the following command to restart BIND:

  4. Rescan your server with your account on the PCI company’s website.

Openssh 6.7 p1102

Mailman

You can completely disable Mailman when you scan for PCI Compliance.

Openssh 6.7 P1005

To disable Mailman, perform the following steps:

  1. Log in to WHM as the root user.

  2. In the Mail section of the Tweak Settings interface (WHM >> Home >> Server Configuration >> Tweak Settings), set the Enable Mailman mailing lists setting to Off.

  3. Click Save.

If you do not want to disable Mailman, perform the following steps to pass a PCI Compliance scan:

  1. Log in to to the server as the root user via SSH.

  2. Create the following file to deny web requests for Mailman:

    The contents of the file should appear similar to the following example:

  3. Rescan your server with your account on the PCI company’s website.

Insecure Cookie configuration

During a PCI compliance scan, your system may indicate that your web applications contain insecure cookies If your system contains insecure cookies, you may see the following error:

Openssh

To fix this error, perform the following steps:

  1. Navigate to WHM’s Include Editor interface (WHM >> Home >> Service Configuration >> Apache Configuration >> Include Editor)

  2. Select the Pre VirtualHost Include option.

  3. From the Select an Apache Version menu, select Select all versions.

  4. Enter the following content in the available text box and click Update:

RPC Portmapper

The RPC portmapper server converts RPC program numbers into TCP/IP protocol port numbers. An attacker may use it to enumerate RPC services. You must disable RPC portmapper on your server to become PCI compliant.

To check RPC portmapper’s status, run the following command:

If you receive no output, then your system is not PCI compliant.

If RPC services (such as NFS) are not used/needed on this machine, stop and disable this service. Otherwise, you will need to filter traffic to this port to allow access only from trusted machines.

Do not remove the package/rpm Doing so could cause other issues as there are a number of dependencies against it. The quota rpm for example is a dependency of rpcbind. Remove rpcbind and you’ll remove quota support too.

Openssh 6.7 P1102w

Additional Documentation