OpenSSH J-PAKE Session Key Retrieval Vulnerability

DamienWebb

Member
Nov 4, 2013
9
0
1
cPanel Access Level
Root Administrator
Via Qualys PCI Compliance I have the two following failing for my web server:


Code:
Bugtraq ID:	45304
CVE ID:	CVE-2010-4478
Vendor Reference:	OpenSSH J-PAKE
Last Update:	03/01/2013 at 17:10:16
Threat:
OpenSSH is a set of computer programs providing encrypted communication sessions over a computer network using the SSH protocol.

OpenSSH, when J-PAKE is enabled, does not properly validate the public parameters in the J-PAKE protocol. This allows remote attackers to bypass the need for knowledge of the shared secret, and successfully authenticate, by sending crafted values in each round of the protocol.

Affected Software:
OpenSSH versions 5.6 and prior.

Impact:
Successful exploitation allows attacker to get access to the remote system.

Solution:
Upgrade to OpenSSH 5.7 or later, available from the OpenSSH Web site.

Result:
SSH-2.0-OpenSSH_5.3
And

Code:
Web Server Uses Plain Text Basic Authentication
QID:	86763
Severity:	2   Vulnerability Severity 2
CVSS Base:	5    AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS Temporal:	3.8    E:U/RL:U/RC:UC
PCI Compliance Status:	FAIL    Info
The QID adheres to the PCI requirements based on the CVSS basescore.
Category:	Web server
Port/Service:	2077 / Web server (tcp)
False Positive:	N/A
Bugtraq ID:	-
CVE ID:	-
Vendor Reference:	-
Last Update:	05/11/2009 at 15:17:19
Threat:
During Web server authentication, communication can take place with the user by Clear Text User Credentials.

Impact:
Using Readable Clear Text can help eavesdropping and thereby compromise confidentiality. An attacker can successfully exploit this issue when the 401 error is returned when authentication is required. Also, an attacker can find out that the Basic Authentication scheme is used using the WWW-authenticate header.

Solution:
Please contact the vendor of the hardware/software for a possible fix for the issue.

Questions are, how can I upgrade OpenSSH on CentOS 6.4 x86_64, and how do I fix "Web Server Uses Plain Text Basic Authentication"

I can't figure it out, any help would be awesome!
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
Regarding that 2010 openssh CVE, it is a flase positive and does not affect centos6.

https://access.redhat.com/security/cve/CVE-2010-4478

"Not vulnerable. This issue did not affect the versions of openssh as shipped with Red Hat Enterprise Linux 4, 5, or 6."

You should be able to get that waived by providing your PCI vendor that link and your OS release version.

As a general rule of thumb, do NOT upgrade OpenSSH, OpenSSL, or BIND on centOS systems. 99% of things that PCI vendors flag are already fixed via back-ports and just need to be appealed as such. The Redhat site is a good resource, or you can dump the RPM change log to prove that the issue is patched.

port 2077 (your 2nd issue) is webdisk. Hardly anyone uses that, and I recommend just closing the firewall port or disabling the service entirely on PCI compliant systems. Just go to WHM, service manager, and disable "DAV" (cpdavd).
 
Last edited:

inetbizo

Well-Known Member

inetbizo

Well-Known Member

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,202
363

inetbizo

Well-Known Member

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,202
363
For instance, which specific failures are you receiving in your PCI compliance scan results for FTP and Web Disk when using the default settings?

Thank you.
 

inetbizo

Well-Known Member
For instance, which specific failures are you receiving in your PCI compliance scan results for FTP and Web Disk when using the default settings?

Thank you.
Michael are you asking me? If so, I can authorize CP to talk w/ Liquidweb, inc. about my PCI ticket and all the changes we've had to make above the defaults. Massive changes at that.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,202
363
I don't believe the updating the document is a good idea for the FTP and Web Disk services because some of those changes may result connection issues for certain customers. That being said, you are welcome to post specific documentation requests here and we can forward those requests to our documentation team.

Thank you.
 

inetbizo

Well-Known Member
The documentation is for PCI compliance. You know as well as I that DSS recently changed their requirements such as removing RC4 ciphers. The only one that may have issue is TLS v1.0 You can at least annotate the June 30, 2016 deadline and the suggested settings.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,202
363
For instance, could you post the PCI compliance scan results for the FTP and Web Disk services that were failures? Also, which specific changes did you make to address the issue for those services that you would like documented?

Thank you.
 
  • Like
Reactions: inetbizo

inetbizo

Well-Known Member
For instance, could you post the PCI compliance scan results for the FTP and Web Disk services that were failures? Also, which specific changes did you make to address the issue for those services that you would like documented? Thank you.
I've asked Liquidweb, inc. to respond to this thread to assist with the answer to all CP ports we had to change the cipher, x-frame options, etc.
 

inetbizo

Well-Known Member
For instance, could you post the PCI compliance scan results for the FTP and Web Disk services that were failures? Also, which specific changes did you make to address the issue for those services that you would like documented? Thank you.
Current Apache Pre-Virtual-Host
Code:
SSLProtocol all -SSLv2 -SSLv3 -TLSv1
SSLHonorCipherOrder On
SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4
Current FTP TLS Cipher Configuration
Code:
HIGH:!aNULL:!eNULL:!PSK:!RC4:!MD5:!TLSv1:!SSLv2:!SSLv3
Current Webdisk Cipher COnfiguration
Code:
ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:!RC4:HIGH:!MD5:!aNULL:!EDH
Current Mail Server Cipher Configuration
Code:
ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:!RC4+RSA:+HIGH:+MEDIUM:!SSLv2