SSH 6.4

9 posts / 0 new
Last post
#1 Mon, 01/20/2014 - 19:34
katir

SSH 6.4

We are running VirtualMin/WebMin on CentOS Linux 6.4

Our PCI Compliance auditing company is flagging SSH 5.3 as a vulnerability and requesting that we update to 6.4

The RPM logs are not showing us any interim patches that we can identify that would apply to the CVE's which are pretty old:

CVE-2010-4478 CVE-2012-5000

We just grepped the rpm logs for "SSH" so perhaps we are missing the relevant patches that apply to the vulnerabilities -- CVE appear all the way through ssh 5.8, so I don't understand why we are seeing this only now -- I realize that CentoOS continues to report the old version numbers, even as it continues to update the packages to meeting on-going security issues.

I thought for sure that for last quarter's audit, we had "fixed" these somehow... but WebMin is not showing any suggested updates to SSH beyond 5.3.

Your thoughts?

Mon, 01/20/2014 - 22:26
andreychek

Howdy,

This is a similar issue to the Apache one you brought up a couple of years ago:

https://virtualmin.com/node/21347

You are using the most recent packages available to your CentOS version. There isn't a newer SSH package. RHEL and CentOS backport security fixes into the packages they ship with their distro -- so the version you have there contains all the security fixes available.

Regarding the two CVE's you mentioned --

Googling "CVE-2010-4478", I ran across the following RHEL bug report on that CVE, which says that the RHEL/CentOS version of SSH isn't vulnerable to that particular problem:

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-4478

The second one you mentioned is "CVE-2012-5000". However, that doesn't appear to be an SSH vulnerability, it refers to a vulnerability in a PHP application.

However, you may have meant "CVE-2011-5000", which is SSH related.

That was fixed with a recent SSH package provided by RHEL, there are details on that here:

https://rhn.redhat.com/errata/RHSA-2012-0884.html

Tue, 01/21/2014 - 13:43
katir

Yes, I realize that this is similar to my previous query.. Only problem is the auto system updates pushed by VirtualMin from RedHat/CentoOS are not covering the latest vulnerability.

Mellissa at Security Metrics says that there are recent holes that need to be updated and to see:

https://rhn.redhat.com/errata/RHSA-2013-0519.html

So, what to do? To date, I have never had to actually implement these myself manually. Typically I can send the RPM logs to Security Metrics and they say "Yeah... your good to go," where 5.3p-1-84 indicates 84 patches that have covered the vulnerabilities, and they accept this as "evidence." and our site passes the PCI audit

Can we expect VirtualMin to auto update with some new SSH patch soon? or we need to do this ourselves?

Tue, 01/21/2014 - 14:22
andreychek

Howdy,

All bugfixes and security updates for RHEL/CentOS packages would be through RHEL and CentOS -- Virtualmin does it's best not to provide packages that are built and maintained by the various distros.

I'm a little confused though, as the link that you mentioned above is an example of an SSH security issue that has been resolved in CentOS.

That issue is a fairly old one (about a year old), and there's been a CentOS SSH packaged released to handle that.

They're up to SSH version "5.3p1-94" now.

Perhaps we should be verifying what SSH version you have there -- what is the output of this command:

rpm -qa | grep openssh

Tue, 01/21/2014 - 14:30
katir

OK. so it's not via VM... it comes from RHEL/CentOS...understood.

confusion: yeah.. that's the problem

rpm -qa | grep openssh we are only showing

openssh-clients-5.3p1-84.1.el6.x86_64 Tue 14 May 2013 09:49:27 PM PDT openssh-server-5.3p1-84.1.el6.x86_64 Tue 14 May 2013 09:49:26 PM PDT openssh-5.3p1-84.1.el6.x86_64 Tue 14 May 2013 09:47:10 PM PDT libssh2-1.4.2-1.el6.x86_64 Tue 14 May 2013 09:44:41 PM PDT

and nothing new since May... so why we are not getting auto update between

5.3p1-84.1 --> 5.3.1p-94 ??

is mysterious.

Tue, 01/21/2014 - 15:20
andreychek

What output do you receive if you run this command on the command line:

yum update

Tue, 01/21/2014 - 15:49
katir

ha! too easy:

I always worry about upgrades, but I ran yum update and said "Y" so I hope nothing breaks!

but we now see...

(161/219): openssh-clients-5.3p1-94.el6.x86_64.rpm | 402 kB 00:00
(162/219): openssh-server-5.3p1-94.el6.x86_64.rpm | 311 kB 00:00

Holding my breath as the Cleanup/verifying just finished... are we supposed to reboot the box?

I see a lot of updates! (431)

Wed, 01/22/2014 - 03:53
Locutus

Updating things usually doesn't require a reboot, only when you get a new kernel or similar. Updating SSH certainly does not need a reboot, the service will simply be restarted and that's it.

Generally you should install any update that's labeled as "security patch" (if such a declaration exists in CentOS - it does in Ubuntu).

On my system, I have the unattended-upgrades package install all updates automatically that are labeled security updates. The rest I do manually from time to time -- if in doubt, after taking a snapshot of the virtual machine running my hosting system (I use VMware virtualization).

Wed, 01/22/2014 - 16:00
katir

Good advice Locutus... Thanks

I'll check to see if there's a security patch "filter" for updates on CentOS

Topic locked