Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

how can I tell if my cpanel ssh is patched?

Discussion in 'Security' started by scottw, Aug 17, 2010.

  1. scottw

    scottw Registered

    Joined:
    Aug 17, 2010
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    51
    I just ran a PCI vulnerability scan on my system and it came up with the following CVEs: CVE-2006-5051, CVE-2006-5052 (both of these are related to OpenSSH versions prior to 4.4).

    I'm pretty sure that, being 4 years old, OpenSSH has been patched. My ssh version:

    # ssh -v
    OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008

    and RPMs installed:

    # rpm -qa | grep -i ssh
    openssh-clients-4.3p2-41.el5
    openssh-4.3p2-41.el5
    openssh-server-4.3p2-41.el5

    My question: how can I tell if I'm *really* vulnerable or not? I can look at the CVE database which lists packages and their signatures, but I don't know of a way to get a signature from a package that's already installed. Is there a way? Or is there a more reliable way to tell if I'm patched?

    Scott
     
  2. cPanelJared

    cPanelJared Technical Analyst

    Joined:
    Feb 25, 2010
    Messages:
    1,835
    Likes Received:
    20
    Trophy Points:
    143
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    rpm -q --changelog

    The --changelog argument to the rpm command will let you query installed packages to see the changelog. This will let you see which CVEs have had patches applied.

    Code:
    # rpm -q --changelog openssl
    * Fri Mar 12 2010 Tomas Mraz <tmraz@redhat.com> 0.9.8e-12.6
    - fix CVE-2009-3245 - add missing bn_wexpand return checks (#570924)
    
    * Thu Mar 04 2010 Tomas Mraz <tmraz@redhat.com> 0.9.8e-12.5
    - fix CVE-2010-0433 - do not pass NULL princ to krb5_kt_get_entry which
      in the RHEL-5 and newer versions will crash in such case (#569774)
    This can generate a very long list covering the entire history of the package, so you may want to pipe the output to a file then read the file using less:

    Code:
    # rpm -q --changelog openssl > openssl.changelog
    # less openssl.changelog
    Due to the way Red Hat manages version numbers (and CentOS follows), the version number is not always updated when a CVE is patched, so it is necessary to read the changelog to find proof that a patch was applied.

    If you have a specific CVE number, as you do, you can use grep to check quickly to see if it is mentioned in the changelog:

    Code:
    # rpm -q --changelog openssh > openssh.changelog
    # grep CVE-2006-5051 openssh.changelog 
    - CVE-2006-5051 - don't call cleanups from signal handler (#208459)
    # grep CVE-2006-5052 openssh.changelog 
    - fix an information leak in Kerberos password authentication (CVE-2006-5052)
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. scottw

    scottw Registered

    Joined:
    Aug 17, 2010
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    51
    perfect

    Just what I was looking for—thanks!

    Is there a similar command or site for built-in packages (such as Apache)?
     
  4. cPanelJared

    cPanelJared Technical Analyst

    Joined:
    Feb 25, 2010
    Messages:
    1,835
    Likes Received:
    20
    Trophy Points:
    143
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    Only for RPM packages

    This technique will only work for services that are installed via RPM package, such as MySQL, Pure-FTPd, ProFTPd, Exim, Courier-IMAP and Dovecot. Since Apache is built from source, not installed via RPM package, on a cPanel server, the rpm database will have no information about it.

    You can see the list of modules compiled into Apache using the following command:

    Code:
    # /usr/local/apache/bin/httpd -l
    You can get version information about Apache using the following command:

    Code:
    # /usr/local/apache/bin/apachectl status
    You can see the configure command used to compile PHP, and all extensions included and configured settings, using the following command:

    Code:
    # php -i
    The output is usually lengthy, so I recommend redirecting it to a file. It is the same as creating the following PHP script and calling it from a Web browser:

    Code:
    <?php
        phpinfo();
    ?>
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. scottw

    scottw Registered

    Joined:
    Aug 17, 2010
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    51
    CVE-2008-2939: mod_proxy_ftp

    How could I tell whether this particular CVE has been patched, then? I've found another forum post:

    Apache 2.2.10 Released - cPanel Forums

    but it applies to Apache 2.2.10 only.

    I'm running:
    Code:
    # httpd -v
    Server version: Apache/2.0.63
    Server built:   Jul 30 2010 03:17:02
    Cpanel::Easy::Apache v3.2.0 rev5158
     
  6. cPanelDon

    cPanelDon cPanel Quality Assurance Analyst
    Staff Member

    Joined:
    Nov 5, 2008
    Messages:
    2,554
    Likes Received:
    9
    Trophy Points:
    168
    Location:
    Houston, Texas, U.S.A.
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    Re: CVE-2008-2939: mod_proxy_ftp

    Via a quick search I found the following resources that you may review regarding CVE-2008-2939:

    I believe that if you do not have mod_proxy installed in Apache/httpd then the vulnerability (CVE-2008-2939) may not apply.

    Using one of the same commands mentioned by cPanelJared you may determine if the Apache/httpd installation includes mod_proxy_ftp.
    The Apache module "mod_proxy" includes "mod_proxy_ftp" -- you may disable or remove mod_proxy altogether by unticking/unchecking its option in the Exhaustive Options list while running EasyApache to recompile Apache and PHP.

    Reference menu path and additional documentation:

    While you may use WHM to run EasyApache, you may also execute EasyApache using the following command via root SSH access:
    Code:
    # /scripts/easyapache
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice