Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

centOS 6 and CVE-2016-6210

Discussion in 'Security' started by inetbizo, Jul 18, 2017.

  1. inetbizo

    inetbizo Well-Known Member

    Joined:
    Mar 28, 2008
    Messages:
    86
    Likes Received:
    1
    Trophy Points:
    58
    Location:
    New Smyrna Beach, FL US
    cPanel Access Level:
    Root Administrator
    Twitter:
    According to CVE-2016-6210 - Red Hat Customer Portal "A covert timing channel flaw was found in the way OpenSSH handled authentication of nonexistent users. A remote unauthenticated attacker could possibly use this flaw to determine valid user names by measuring the timing information."

    Statement
    This issue in OpenSSH is mitigated by the usage of SELinux in Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7.

    But, cpanel SELinux is OFF by recommendation.

    How best can we protect against CVE-2016-6210 in centOS 6.x?
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,424
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    You can read more about this vulnerability at the following URL:

    Bug 1357442 – CVE-2016-6210 openssh: User enumeration via covert timing channel

    The best approach for mitigating this issue without using SELinux would be to migrate the accounts to a server running CentOS 7 (a patch is available in RHEL 7, and should reach CentOS 7 in the future). If that's not feasible, one mitigation technique that may decrease the potential of an attack is to disable password authentication using "WHM Home » Security Center » SSH Password Authorization Tweak" since this vulnerability relies on the attacker entering an excessively long password.

    Thank you.
     
  3. inetbizo

    inetbizo Well-Known Member

    Joined:
    Mar 28, 2008
    Messages:
    86
    Likes Received:
    1
    Trophy Points:
    58
    Location:
    New Smyrna Beach, FL US
    cPanel Access Level:
    Root Administrator
    Twitter:
    Michael what you think about compensating controls in /etc/ssh/sshd_conf.conf
    Code:
    MaxAuthTries 3
    from my github.com/denverprophitjr/Linux-Administration/blob/develop/etc/ssh/sshd_config#L19 repo

    If you tie this in with CSF/LFD configuration to read syslog and ban IP after the 4th attempt permanently ...
     
    #3 inetbizo, Jul 19, 2017
    Last edited by a moderator: Jul 19, 2017
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,424
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    While that may help to some extent, I don't believe this particular vulnerability relies on multiple authentication attempts. A potential attacker could use the long password on the first authentication attempt.

    Thank you.
     
  5. inetbizo

    inetbizo Well-Known Member

    Joined:
    Mar 28, 2008
    Messages:
    86
    Likes Received:
    1
    Trophy Points:
    58
    Location:
    New Smyrna Beach, FL US
    cPanel Access Level:
    Root Administrator
    Twitter:
    Ugh! Pain in the butt to reharden a new server and migrate everyone! Wasn't there a feature request about duplicating all settings to new box as a starting point? One of my very populated CP boxes IS centos6 =(
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,424
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Here's a recent thread on this topic:

    Two servers the same configuration

    Thank you.
     
  7. inetbizo

    inetbizo Well-Known Member

    Joined:
    Mar 28, 2008
    Messages:
    86
    Likes Received:
    1
    Trophy Points:
    58
    Location:
    New Smyrna Beach, FL US
    cPanel Access Level:
    Root Administrator
    Twitter:
    Once migrated to centos 7, how should I respond to a QSV for CVE-2016-6210
     
  8. inetbizo

    inetbizo Well-Known Member

    Joined:
    Mar 28, 2008
    Messages:
    86
    Likes Received:
    1
    Trophy Points:
    58
    Location:
    New Smyrna Beach, FL US
    cPanel Access Level:
    Root Administrator
    Twitter:
    I nominate CVE-2016-6210 to go into your kb or q/a for pci
     
  9. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,424
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    I've opened a case with our Documentation Team (DOC-9353) to see if we can add some information about CVE-2016-6210 to the following document:

    https://documentation.cpanel.net/display/CKB/PCI+Compliance+and+Software+Version

    Thank you.

    Update: The above document is now updated to reflect information about CVE-2016-6210.
     
    #9 cPanelMichael, Aug 15, 2017
    Last edited: Sep 21, 2017
  10. inetbizo

    inetbizo Well-Known Member

    Joined:
    Mar 28, 2008
    Messages:
    86
    Likes Received:
    1
    Trophy Points:
    58
    Location:
    New Smyrna Beach, FL US
    cPanel Access Level:
    Root Administrator
    Twitter:
  11. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,424
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    It's patched in RHEL 7, however CentOS has yet to publish the patch for CentOS 7. I recommend posting to the CentOS forums for more information on this topic, as it's outside of the control of the cPanel software:

    CentOS 7 - Security Support - CentOS

    Note that I've seen reports from other users that were able to pass PCI compliance scans after setting up host access rules for the SSHd service so that connections are denied from all IP addresses except for whitelisted ones:

    Host Access Control - Documentation - cPanel Documentation

    Thank you.
     
Loading...

Share This Page