The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

how can I tell if my cpanel ssh is patched?

Discussion in 'Security' started by scottw, Aug 17, 2010.

  1. scottw

    scottw Registered

    Joined:
    Aug 17, 2010
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    I just ran a PCI vulnerability scan on my system and it came up with the following CVEs: CVE-2006-5051, CVE-2006-5052 (both of these are related to OpenSSH versions prior to 4.4).

    I'm pretty sure that, being 4 years old, OpenSSH has been patched. My ssh version:

    # ssh -v
    OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008

    and RPMs installed:

    # rpm -qa | grep -i ssh
    openssh-clients-4.3p2-41.el5
    openssh-4.3p2-41.el5
    openssh-server-4.3p2-41.el5

    My question: how can I tell if I'm *really* vulnerable or not? I can look at the CVE database which lists packages and their signatures, but I don't know of a way to get a signature from a package that's already installed. Is there a way? Or is there a more reliable way to tell if I'm patched?

    Scott
     
  2. cPanelJared

    cPanelJared Technical Analyst
    Staff Member

    Joined:
    Feb 25, 2010
    Messages:
    1,842
    Likes Received:
    18
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    rpm -q --changelog

    The --changelog argument to the rpm command will let you query installed packages to see the changelog. This will let you see which CVEs have had patches applied.

    Code:
    # rpm -q --changelog openssl
    * Fri Mar 12 2010 Tomas Mraz <tmraz@redhat.com> 0.9.8e-12.6
    - fix CVE-2009-3245 - add missing bn_wexpand return checks (#570924)
    
    * Thu Mar 04 2010 Tomas Mraz <tmraz@redhat.com> 0.9.8e-12.5
    - fix CVE-2010-0433 - do not pass NULL princ to krb5_kt_get_entry which
      in the RHEL-5 and newer versions will crash in such case (#569774)
    This can generate a very long list covering the entire history of the package, so you may want to pipe the output to a file then read the file using less:

    Code:
    # rpm -q --changelog openssl > openssl.changelog
    # less openssl.changelog
    Due to the way Red Hat manages version numbers (and CentOS follows), the version number is not always updated when a CVE is patched, so it is necessary to read the changelog to find proof that a patch was applied.

    If you have a specific CVE number, as you do, you can use grep to check quickly to see if it is mentioned in the changelog:

    Code:
    # rpm -q --changelog openssh > openssh.changelog
    # grep CVE-2006-5051 openssh.changelog 
    - CVE-2006-5051 - don't call cleanups from signal handler (#208459)
    # grep CVE-2006-5052 openssh.changelog 
    - fix an information leak in Kerberos password authentication (CVE-2006-5052)
     
  3. scottw

    scottw Registered

    Joined:
    Aug 17, 2010
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    perfect

    Just what I was looking for—thanks!

    Is there a similar command or site for built-in packages (such as Apache)?
     
  4. cPanelJared

    cPanelJared Technical Analyst
    Staff Member

    Joined:
    Feb 25, 2010
    Messages:
    1,842
    Likes Received:
    18
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    Only for RPM packages

    This technique will only work for services that are installed via RPM package, such as MySQL, Pure-FTPd, ProFTPd, Exim, Courier-IMAP and Dovecot. Since Apache is built from source, not installed via RPM package, on a cPanel server, the rpm database will have no information about it.

    You can see the list of modules compiled into Apache using the following command:

    Code:
    # /usr/local/apache/bin/httpd -l
    You can get version information about Apache using the following command:

    Code:
    # /usr/local/apache/bin/apachectl status
    You can see the configure command used to compile PHP, and all extensions included and configured settings, using the following command:

    Code:
    # php -i
    The output is usually lengthy, so I recommend redirecting it to a file. It is the same as creating the following PHP script and calling it from a Web browser:

    Code:
    <?php
        phpinfo();
    ?>
     
  5. scottw

    scottw Registered

    Joined:
    Aug 17, 2010
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    CVE-2008-2939: mod_proxy_ftp

    How could I tell whether this particular CVE has been patched, then? I've found another forum post:

    Apache 2.2.10 Released - cPanel Forums

    but it applies to Apache 2.2.10 only.

    I'm running:
    Code:
    # httpd -v
    Server version: Apache/2.0.63
    Server built:   Jul 30 2010 03:17:02
    Cpanel::Easy::Apache v3.2.0 rev5158
     
  6. cPanelDon

    cPanelDon cPanel Quality Assurance Analyst
    Staff Member

    Joined:
    Nov 5, 2008
    Messages:
    2,557
    Likes Received:
    7
    Trophy Points:
    38
    Location:
    Houston, Texas, U.S.A.
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    Re: CVE-2008-2939: mod_proxy_ftp

    Via a quick search I found the following resources that you may review regarding CVE-2008-2939:

    I believe that if you do not have mod_proxy installed in Apache/httpd then the vulnerability (CVE-2008-2939) may not apply.

    Using one of the same commands mentioned by cPanelJared you may determine if the Apache/httpd installation includes mod_proxy_ftp.
    The Apache module "mod_proxy" includes "mod_proxy_ftp" -- you may disable or remove mod_proxy altogether by unticking/unchecking its option in the Exhaustive Options list while running EasyApache to recompile Apache and PHP.

    Reference menu path and additional documentation:

    While you may use WHM to run EasyApache, you may also execute EasyApache using the following command via root SSH access:
    Code:
    # /scripts/easyapache
     
Loading...

Share This Page