The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

OpenSSH

Discussion in 'General Discussion' started by MediaEnterprise, Sep 6, 2005.

  1. MediaEnterprise

    Joined:
    Sep 6, 2005
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    Any idea when the OpenSSH/OpenSSL will be upgraded?

    I just failed a PCI Certification scan with Trustwave.com due to OpenSSH being outdated. This is listed as a MAJOR vulnerability and must be upgraded/corrected to move forward with the Certification.

    Therefore I am wondering when CPanel is planning to release an upgrade for this.

    Thank you in advance for all your responses and assistance.
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    It's more than likely a false-positive as those external tests are very much prone to. It also have nothing to do with cPanel. A simple search would have thrown up this thread yesterday which has a link to a more detailed explaination:
    http://forums.cpanel.net/showthread.php?t=43596
     
  3. MediaEnterprise

    Joined:
    Sep 6, 2005
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    I just got off the phone with Trustwave and they stated it is definitely not a false positive.

    Here are the details they provided:

    -------------------------------------------------------------------
    OpenSSH Buffer Mgmt Error
    Severity: 4 - High

    Description: OpenSSH versions prior to 3.7.1 have several vulnerabilities which can allow an attacker to execute arbitrary code on the targeted server.
    Remediation: Upgrade to a current and secure version of OpenSSH.
    --------------------------------------------------------------------

    Please advise what can be done to move forward as I have another scan scheduled for today.
     
  4. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    It almost definitely is. What OS and version are you running?
     
  5. MediaEnterprise

    Joined:
    Sep 6, 2005
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    Here is my server info:

    -------------------------------------
    Operating system Linux
    Kernel version 2.4.21-27.0.4.ELsmp
    Machine Type i686
    Apache version 1.3.33 (Unix)
    PERL version 5.8.6
    Path to PERL /usr/bin/perl
    Path to sendmail /usr/sbin/sendmail
    PHP version 4.3.11
    MySQL version 4.1.11-standard
    cPanel Build 10.2.0-RELEASE 82
    Theme cPanel X v2.5.0
    --------------------------------------------
     
  6. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Then it's RedHat Enterprise v3 and I'm afraid the software company is simply wrong. As I mentioned in the linked thread, RedHat has always back-ported security fixes into stable releases of applications and even more so with the Enterprise class OS's that they now offer. The versions of OpenSSL and OpenSSH that come with RHE have been patched as necessary. You should certainly be sure that up2date is working on the server, but otherwise it is definitely a false-positive.
     
  7. MediaEnterprise

    Joined:
    Sep 6, 2005
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    So I guess I should just wait for the second scan to take place today and see if it passes, correct?

    Is it possible that a false positive can occur 2 times is a row?

    Just want to make sure I get past this Security scan so that I can move forward with other issues.

    Thanks for your SUPER FAST assistance Chirpy! :)
     
  8. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    If their softare is not intelligent enough to check the installed rpm versions of the software an take into account the running OS, then I suppose it could just as easily fail again. The latest version of OpenSSH that ships with RHE3 is openssh-3.6.1p2-33.30.4. If the check persists in incorrectly detecting this as a vulnerable version then they really need to understand how RedHat software support works - what it most likely is doind is simply connecting to the openssh port on the server and making an assumption, which is completely incorrect.
     
  9. MediaEnterprise

    Joined:
    Sep 6, 2005
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    Thank you!

    I will contact them and notify them of the situation/issue.

    Hopefully they understand the details and can resolve the problem.

    I will post an update once I receive any i information. Thanks again!
     
  10. webignition

    webignition Well-Known Member

    Joined:
    Jan 22, 2005
    Messages:
    1,880
    Likes Received:
    0
    Trophy Points:
    36
    I'm interested to see what they have to say about this too.

    Since it's not uncommon for large companies to disregard technical details in preference of established (but possibly incorrect) procedures and practices, you may have a hard time convincing them and I wish you luck!
     
  11. MediaEnterprise

    Joined:
    Sep 6, 2005
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    Just spoke with Trustwave.com and they were quite helpful.

    They stated that the scan more than likely simply checked the OpenSSH version which caused the scan to fail. As long as the server has been patched, everything should be ok.

    They instructed me to file an appeal (standard procedure) and that someone would thoroughly look into the matter and resolve the issue within 24 hours.

    They also stated that if the server has been patched, that is not a problem and they will be able to see this and approve my site as being secure.

    I will post again the results of the appeal.

    I guess they should update their scanning software to check for patches as well as versions. This has caused a great amount of confusion & stress for myself and my business.

    Thanks again Chirpy....I appreciate it!
     
  12. MediaEnterprise

    Joined:
    Sep 6, 2005
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    Quick update....

    Trustwave.com has repealed the scan and changed the status from a FAILED to a PASS.

    Thanks again Chirpy....it was in fact, a False Positive and you were 100% correct regarding the RedHat issue.

    I would imagine this issue will affect a lot of people so I am glad this thread will be available to assist them.

    Take care!
    Martin
     
  13. VexT

    VexT Active Member

    Joined:
    Nov 15, 2003
    Messages:
    34
    Likes Received:
    0
    Trophy Points:
    6
    Ah, Redhat backporting. The bane of so many so-called server security auditors. Thought it was funny that we had to educate ScanAlert about that.
     
  14. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Hi Martin,

    Glad to be able to help and that you got your server cleared :)
     
Loading...

Share This Page