how can I tell if my cpanel ssh is patched?

[scottw]

I just ran a PCI vulnerability scan on my system and it came up with the following CVEs: CVE-2006-5051, CVE-2006-5052 (both of these are related to OpenSSH versions prior to 4.4).

I'm pretty sure that, being 4 years old, OpenSSH has been patched. My ssh version:

# ssh -v
OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008

and RPMs installed:

# rpm -qa | grep -i ssh
openssh-clients-4.3p2-41.el5
openssh-4.3p2-41.el5
openssh-server-4.3p2-41.el5

My question: how can I tell if I'm *really* vulnerable or not? I can look at the CVE database which lists packages and their signatures, but I don't know of a way to get a signature from a package that's already installed. Is there a way? Or is there a more reliable way to tell if I'm patched?

Scott

[cPanelJared]

The --changelog argument to the rpm command will let you query installed packages to see the changelog. This will let you see which CVEs have had patches applied.

Code:

# rpm -q --changelog openssl
* Fri Mar 12 2010 Tomas Mraz <tmraz@redhat.com> 0.9.8e-12.6
- fix CVE-2009-3245 - add missing bn_wexpand return checks (#570924)

* Thu Mar 04 2010 Tomas Mraz <tmraz@redhat.com> 0.9.8e-12.5
- fix CVE-2010-0433 - do not pass NULL princ to krb5_kt_get_entry which
  in the RHEL-5 and newer versions will crash in such case (#569774)

This can generate a very long list covering the entire history of the package, so you may want to pipe the output to a file then read the file using less:

Code:

# rpm -q --changelog openssl > openssl.changelog
# less openssl.changelog

Due to the way Red Hat manages version numbers (and CentOS follows), the version number is not always updated when a CVE is patched, so it is necessary to read the changelog to find proof that a patch was applied.

If you have a specific CVE number, as you do, you can use grep to check quickly to see if it is mentioned in the changelog:

Code:

# rpm -q --changelog openssh > openssh.changelog
# grep CVE-2006-5051 openssh.changelog 
- CVE-2006-5051 - don't call cleanups from signal handler (#208459)
# grep CVE-2006-5052 openssh.changelog 
- fix an information leak in Kerberos password authentication (CVE-2006-5052)

[scottw]

Just what I was looking for—thanks!

Is there a similar command or site for built-in packages (such as Apache)?

[cPanelJared]

This technique will only work for services that are installed via RPM package, such as MySQL, Pure-FTPd, ProFTPd, Exim, Courier-IMAP and Dovecot. Since Apache is built from source, not installed via RPM package, on a cPanel server, the rpm database will have no information about it.

You can see the list of modules compiled into Apache using the following command:

Code:

# /usr/local/apache/bin/httpd -l

You can get version information about Apache using the following command:

Code:

# /usr/local/apache/bin/apachectl status

You can see the configure command used to compile PHP, and all extensions included and configured settings, using the following command:

Code:

# php -i

The output is usually lengthy, so I recommend redirecting it to a file. It is the same as creating the following PHP script and calling it from a Web browser:

Code:

<?php
    phpinfo();
?>

[scottw]

How could I tell whether this particular CVE has been patched, then? I've found another forum post:

Apache 2.2.10 Released - cPanel Forums

but it applies to Apache 2.2.10 only.

I'm running:

Code:

# httpd -v
Server version: Apache/2.0.63
Server built:   Jul 30 2010 03:17:02
Cpanel::Easy::Apache v3.2.0 rev5158

[cPanelDon]

How could I tell whether this particular CVE has been patched, then? I've found another forum post:

Apache 2.2.10 Released - cPanel Forums

but it applies to Apache 2.2.10 only.

I'm running:

Code:

# httpd -v
Server version: Apache/2.0.63
Server built:   Jul 30 2010 03:17:02
Cpanel::Easy::Apache v3.2.0 rev5158

Via a quick search I found the following resources that you may review regarding CVE-2008-2939:

• Common Vulnerabilities and Exposures (CVE) - CVE-2008-2939
• National Vulnerability Database (NVD) - CVE-2008-2939
• Apache httpd 2.2 vulnerabilities - The Apache HTTP Server Project
• Apache httpd 2.0 vulnerabilities - The Apache HTTP Server Project

I believe that if you do not have mod_proxy installed in Apache/httpd then the vulnerability (CVE-2008-2939) may not apply.

Using one of the same commands mentioned by cPanelJared you may determine if the Apache/httpd installation includes mod_proxy_ftp.

You can see the list of modules compiled into Apache using the following command:

Code:

# /usr/local/apache/bin/httpd -l

The Apache module "mod_proxy" includes "mod_proxy_ftp" -- you may disable or remove mod_proxy altogether by unticking/unchecking its option in the Exhaustive Options list while running EasyApache to recompile Apache and PHP.

Reference menu path and additional documentation:

• WHM: Main >> Software >> EasyApache (Apache Update) >> Exhaustive Options
• Apache & cPanel/WHM (EasyApache3) >> The Options Lists

While you may use WHM to run EasyApache, you may also execute EasyApache using the following command via root SSH access:

Code:

# /scripts/easyapache