how can I tell if my cpanel ssh is patched?

scottw

Registered
Aug 17, 2010
3
0
51
I just ran a PCI vulnerability scan on my system and it came up with the following CVEs: CVE-2006-5051, CVE-2006-5052 (both of these are related to OpenSSH versions prior to 4.4).

I'm pretty sure that, being 4 years old, OpenSSH has been patched. My ssh version:

# ssh -v
OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008

and RPMs installed:

# rpm -qa | grep -i ssh
openssh-clients-4.3p2-41.el5
openssh-4.3p2-41.el5
openssh-server-4.3p2-41.el5

My question: how can I tell if I'm *really* vulnerable or not? I can look at the CVE database which lists packages and their signatures, but I don't know of a way to get a signature from a package that's already installed. Is there a way? Or is there a more reliable way to tell if I'm patched?

Scott
 

JaredR.

Well-Known Member
Feb 25, 2010
1,834
23
143
Houston, TX
cPanel Access Level
Root Administrator
rpm -q --changelog

The --changelog argument to the rpm command will let you query installed packages to see the changelog. This will let you see which CVEs have had patches applied.

Code:
# rpm -q --changelog openssl
* Fri Mar 12 2010 Tomas Mraz <[email protected]> 0.9.8e-12.6
- fix CVE-2009-3245 - add missing bn_wexpand return checks (#570924)

* Thu Mar 04 2010 Tomas Mraz <[email protected]> 0.9.8e-12.5
- fix CVE-2010-0433 - do not pass NULL princ to krb5_kt_get_entry which
  in the RHEL-5 and newer versions will crash in such case (#569774)
This can generate a very long list covering the entire history of the package, so you may want to pipe the output to a file then read the file using less:

Code:
# rpm -q --changelog openssl > openssl.changelog
# less openssl.changelog
Due to the way Red Hat manages version numbers (and CentOS follows), the version number is not always updated when a CVE is patched, so it is necessary to read the changelog to find proof that a patch was applied.

If you have a specific CVE number, as you do, you can use grep to check quickly to see if it is mentioned in the changelog:

Code:
# rpm -q --changelog openssh > openssh.changelog
# grep CVE-2006-5051 openssh.changelog 
- CVE-2006-5051 - don't call cleanups from signal handler (#208459)
# grep CVE-2006-5052 openssh.changelog 
- fix an information leak in Kerberos password authentication (CVE-2006-5052)
 

scottw

Registered
Aug 17, 2010
3
0
51
perfect

Just what I was looking for—thanks!

Is there a similar command or site for built-in packages (such as Apache)?
 

JaredR.

Well-Known Member
Feb 25, 2010
1,834
23
143
Houston, TX
cPanel Access Level
Root Administrator
Only for RPM packages

This technique will only work for services that are installed via RPM package, such as MySQL, Pure-FTPd, ProFTPd, Exim, Courier-IMAP and Dovecot. Since Apache is built from source, not installed via RPM package, on a cPanel server, the rpm database will have no information about it.

You can see the list of modules compiled into Apache using the following command:

Code:
# /usr/local/apache/bin/httpd -l
You can get version information about Apache using the following command:

Code:
# /usr/local/apache/bin/apachectl status
You can see the configure command used to compile PHP, and all extensions included and configured settings, using the following command:

Code:
# php -i
The output is usually lengthy, so I recommend redirecting it to a file. It is the same as creating the following PHP script and calling it from a Web browser:

Code:
<?php
    phpinfo();
?>
 

scottw

Registered
Aug 17, 2010
3
0
51
CVE-2008-2939: mod_proxy_ftp

How could I tell whether this particular CVE has been patched, then? I've found another forum post:

Apache 2.2.10 Released - cPanel Forums

but it applies to Apache 2.2.10 only.

I'm running:
Code:
# httpd -v
Server version: Apache/2.0.63
Server built:   Jul 30 2010 03:17:02
Cpanel::Easy::Apache v3.2.0 rev5158
 

cPanelDon

cPanel Quality Assurance Analyst
Staff member
Nov 5, 2008
2,545
12
268
Houston, Texas, U.S.A.
cPanel Access Level
DataCenter Provider
Twitter
Re: CVE-2008-2939: mod_proxy_ftp

How could I tell whether this particular CVE has been patched, then? I've found another forum post:

Apache 2.2.10 Released - cPanel Forums

but it applies to Apache 2.2.10 only.

I'm running:
Code:
# httpd -v
Server version: Apache/2.0.63
Server built:   Jul 30 2010 03:17:02
Cpanel::Easy::Apache v3.2.0 rev5158
Via a quick search I found the following resources that you may review regarding CVE-2008-2939:

I believe that if you do not have mod_proxy installed in Apache/httpd then the vulnerability (CVE-2008-2939) may not apply.

Using one of the same commands mentioned by cPanelJared you may determine if the Apache/httpd installation includes mod_proxy_ftp.
You can see the list of modules compiled into Apache using the following command:
Code:
# /usr/local/apache/bin/httpd -l
The Apache module "mod_proxy" includes "mod_proxy_ftp" -- you may disable or remove mod_proxy altogether by unticking/unchecking its option in the Exhaustive Options list while running EasyApache to recompile Apache and PHP.

Reference menu path and additional documentation:

While you may use WHM to run EasyApache, you may also execute EasyApache using the following command via root SSH access:
Code:
# /scripts/easyapache