The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

OpenSSH J-PAKE Session Key Retrieval Vulnerability

Discussion in 'Security' started by DamienWebb, Nov 13, 2013.

  1. DamienWebb

    DamienWebb Member

    Joined:
    Nov 4, 2013
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Via Qualys PCI Compliance I have the two following failing for my web server:


    Code:
    Bugtraq ID:	45304
    CVE ID:	CVE-2010-4478
    Vendor Reference:	OpenSSH J-PAKE
    Last Update:	03/01/2013 at 17:10:16
    Threat:
    OpenSSH is a set of computer programs providing encrypted communication sessions over a computer network using the SSH protocol.
    
    OpenSSH, when J-PAKE is enabled, does not properly validate the public parameters in the J-PAKE protocol. This allows remote attackers to bypass the need for knowledge of the shared secret, and successfully authenticate, by sending crafted values in each round of the protocol.
    
    Affected Software:
    OpenSSH versions 5.6 and prior.
    
    Impact:
    Successful exploitation allows attacker to get access to the remote system.
    
    Solution:
    Upgrade to OpenSSH 5.7 or later, available from the OpenSSH Web site.
    
    Result:
    SSH-2.0-OpenSSH_5.3
    And

    Code:
    Web Server Uses Plain Text Basic Authentication
    QID:	86763
    Severity:	2   Vulnerability Severity 2
    CVSS Base:	5    AV:N/AC:L/Au:N/C:P/I:N/A:N
    CVSS Temporal:	3.8    E:U/RL:U/RC:UC
    PCI Compliance Status:	FAIL    Info
    The QID adheres to the PCI requirements based on the CVSS basescore.
    Category:	Web server
    Port/Service:	2077 / Web server (tcp)
    False Positive:	N/A
    Bugtraq ID:	-
    CVE ID:	-
    Vendor Reference:	-
    Last Update:	05/11/2009 at 15:17:19
    Threat:
    During Web server authentication, communication can take place with the user by Clear Text User Credentials.
    
    Impact:
    Using Readable Clear Text can help eavesdropping and thereby compromise confidentiality. An attacker can successfully exploit this issue when the 401 error is returned when authentication is required. Also, an attacker can find out that the Basic Authentication scheme is used using the WWW-authenticate header.
    
    Solution:
    Please contact the vendor of the hardware/software for a possible fix for the issue.

    Questions are, how can I upgrade OpenSSH on CentOS 6.4 x86_64, and how do I fix "Web Server Uses Plain Text Basic Authentication"

    I can't figure it out, any help would be awesome!
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,447
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
  3. DamienWebb

    DamienWebb Member

    Joined:
    Nov 4, 2013
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Following this guide helped me upgrade to OpenSSH 6.2 from 5.3(default)

    ptudor.net/linux/openssh/
     
    #3 DamienWebb, Nov 13, 2013
    Last edited by a moderator: Sep 16, 2015
  4. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Regarding that 2010 openssh CVE, it is a flase positive and does not affect centos6.

    https://access.redhat.com/security/cve/CVE-2010-4478

    "Not vulnerable. This issue did not affect the versions of openssh as shipped with Red Hat Enterprise Linux 4, 5, or 6."

    You should be able to get that waived by providing your PCI vendor that link and your OS release version.

    As a general rule of thumb, do NOT upgrade OpenSSH, OpenSSL, or BIND on centOS systems. 99% of things that PCI vendors flag are already fixed via back-ports and just need to be appealed as such. The Redhat site is a good resource, or you can dump the RPM change log to prove that the issue is patched.

    port 2077 (your 2nd issue) is webdisk. Hardly anyone uses that, and I recommend just closing the firewall port or disabling the service entirely on PCI compliant systems. Just go to WHM, service manager, and disable "DAV" (cpdavd).
     
    #4 quizknows, Nov 13, 2013
    Last edited: Nov 13, 2013
  5. inetbizo

    inetbizo Well-Known Member

    Joined:
    Mar 28, 2008
    Messages:
    72
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    New Smyrna Beach, FL US
    cPanel Access Level:
    Root Administrator
    Twitter:
  6. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,447
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
  7. inetbizo

    inetbizo Well-Known Member

    Joined:
    Mar 28, 2008
    Messages:
    72
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    New Smyrna Beach, FL US
    cPanel Access Level:
    Root Administrator
    Twitter:
  8. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    649
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  9. inetbizo

    inetbizo Well-Known Member

    Joined:
    Mar 28, 2008
    Messages:
    72
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    New Smyrna Beach, FL US
    cPanel Access Level:
    Root Administrator
    Twitter:
  10. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    649
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    For instance, which specific failures are you receiving in your PCI compliance scan results for FTP and Web Disk when using the default settings?

    Thank you.
     
  11. inetbizo

    inetbizo Well-Known Member

    Joined:
    Mar 28, 2008
    Messages:
    72
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    New Smyrna Beach, FL US
    cPanel Access Level:
    Root Administrator
    Twitter:
    Michael are you asking me? If so, I can authorize CP to talk w/ Liquidweb, inc. about my PCI ticket and all the changes we've had to make above the defaults. Massive changes at that.
     
  12. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    649
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    I don't believe the updating the document is a good idea for the FTP and Web Disk services because some of those changes may result connection issues for certain customers. That being said, you are welcome to post specific documentation requests here and we can forward those requests to our documentation team.

    Thank you.
     
  13. inetbizo

    inetbizo Well-Known Member

    Joined:
    Mar 28, 2008
    Messages:
    72
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    New Smyrna Beach, FL US
    cPanel Access Level:
    Root Administrator
    Twitter:
    The documentation is for PCI compliance. You know as well as I that DSS recently changed their requirements such as removing RC4 ciphers. The only one that may have issue is TLS v1.0 You can at least annotate the June 30, 2016 deadline and the suggested settings.
     
  14. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    649
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    For instance, could you post the PCI compliance scan results for the FTP and Web Disk services that were failures? Also, which specific changes did you make to address the issue for those services that you would like documented?

    Thank you.
     
    inetbizo likes this.
  15. inetbizo

    inetbizo Well-Known Member

    Joined:
    Mar 28, 2008
    Messages:
    72
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    New Smyrna Beach, FL US
    cPanel Access Level:
    Root Administrator
    Twitter:
    I've asked Liquidweb, inc. to respond to this thread to assist with the answer to all CP ports we had to change the cipher, x-frame options, etc.
     
  16. inetbizo

    inetbizo Well-Known Member

    Joined:
    Mar 28, 2008
    Messages:
    72
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    New Smyrna Beach, FL US
    cPanel Access Level:
    Root Administrator
    Twitter:
    Current Apache Pre-Virtual-Host
    Code:
    SSLProtocol all -SSLv2 -SSLv3 -TLSv1
    SSLHonorCipherOrder On
    SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4
    Current FTP TLS Cipher Configuration
    Code:
    HIGH:!aNULL:!eNULL:!PSK:!RC4:!MD5:!TLSv1:!SSLv2:!SSLv3
    Current Webdisk Cipher COnfiguration
    Code:
    ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:!RC4:HIGH:!MD5:!aNULL:!EDH
    Current Mail Server Cipher Configuration
    Code:
    ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:!RC4+RSA:+HIGH:+MEDIUM:!SSLv2
     
Loading...
Similar Threads - OpenSSH PAKE Session
  1. Skin
    Replies:
    10
    Views:
    655

Share This Page