SOLVED PCI DSS scan fails OpenSSH

vpswing

Member
Jun 4, 2014
14
2
3
cPanel Access Level
Root Administrator
Hi,

My server is running the WHM/cPanel v78.0.23 on latest version of CentOS 7.6

The PCI-DSS scan fails for the SSH security with the following message/recommendation:

Threat Reference:
The OpenSSH OPIE for PAM vulnerability was posted to
[Full Disclosure: Re: OpenSSH - System Account Enumeration if S/Key is used] OPIE for PAM vulnerability in OpenSSH.
The OpenSSH process_open function vulnerability was posted to
[https://www.openssh.com/txt/release-7.6] OpenSSH release 7.6.
The OpenSSH - Authentication Attempt Processing vulnerability was posted to
[OpenSSH Authentication Attempt Processing Lets Remote Users Determine Valid Usernames on the Target System - SecurityTracker] Alert ID=1041487.
For more information on the SCP client multiple vulnerabilities, see
[https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt] SCP client multiple vulnerabilities.
The multiple vulnerabilities fixed in version 7.5 was posted to
[http://www.openssh.com/txt/release-7.5] OpenSSH 7.5 release announcement.

Problem:
OpenSSH - User Account Enumeration if OPIE for PAM is used

01/29/18
CVE 2007-2768
OpenSSH version prior to 4.6, when using OPIE (One-Time Passwords in Everything) for PAM, allows remote attackers to determine the existence of certain user accounts, which displays a different response if the user account exists and is configured to use one-time passwords (OTP).
OpenSSH process_open function vulnerability

01/23/18
CVE 2017-15906
The process_open function in sftp-server.c in OpenSSH before 7.6 does not properly prevent write operations in readonly mode, which allows attackers to create zero-length files.
OpenSSH - Authentication Attempt Processing vulnerability

08/16/18
CVE 2018-15473
OpenSSH version prior to 7.7 is affected by an authentication Attempt Processing which could let remote users determine valid usernames on the target system. SCP client multiple vulnerabilities

01/14/19
CVE 2018-20685
CVE 2019-6109
CVE 2019-6110
CVE 2019-6111

OpenSSH through 7.9 are susceptible to a malicious SCP server performing unauthorized changes to target directory and/or client output manipulation:
SCP client improper directory name validation.
SCP client missing received object name validation.
SCP client spoofing via object name.
SCP client spoofing via stderr.

Multiple vulnerabilities fixed in version 7.5
03/22/17
OpenSSH 7.5 fixed multiple vulnerabilities, including
a path-traversal attack vulnerability in sftp-client on Cygwin to create or modify files outside of the intended target directory and to conduct padding oracle attacks against CBC mode encryption, which may eventually lead to decrypt messages in certain cases.

Impact:
This document describes some vulnerabilities in the OpenSSH cryptographic login program. Outdated versions of OpenSSH may allow a malicious user to log in as another user, to insert arbitrary commands into a session, to gain remote root access to the OpenSSH server, or to elevate privileges.

Resolution:
Upgrade to [OpenSSH] OpenSSH version higher than 7.9, or install a fix from your operating system vendor.
----------------------------------------
Does cPanel have a fix for this? Or do I need to manually install/upgrade OpenSSH to version 8?
I'd rather not do anything manual/outside of cPanel as that usually cause problems down the road.

Thanks!
 
Last edited by a moderator:

GOT

Get Proactive!
PartnerNOC
Apr 8, 2003
1,543
208
343
Chesapeake, VA
cPanel Access Level
DataCenter Provider
I would suggest doing neither. cPanel does not actually provide the openssh packages they are coming from Redhat (via Centos) so cPanel is not able to update this themselves.

You can use a comand like this

rpm -q --changelog openssh | grep CVE 2007-2768

To check to see if a particular CVE has been patched. On one of my servers running the same OS version I am not seeing where it is.

However, my recommendation would be to close SSH in your firewall in any event on a system that needs PCI certification.
 

vpswing

Member
Jun 4, 2014
14
2
3
cPanel Access Level
Root Administrator
> However, my recommendation would be to close SSH in your firewall in any event on a system that needs PCI certification.

This may be a silly question ... but if SSH is closed/blocked via Firewall, how does one connect to it then?

Thanks!
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,911
2,234
363
Hello @vpswing,

It appears your PCI compliance provider is only checking the OpenSSH package's version number and isn't checking to see if the specific vulnerabilities are applicable to the specific operating system and RPMs installed on your system.

You should report a false positive to your PCI compliance provider and ask them if there's any specific information they need to prove the false positive.

Thank you.