hired a company (Scan Alert) to monitor the website for vulnerabilities. They found several issues which need to be addressed.
1.OpenSSH < 3.2.1 - AFS/Kerberos Performing Ticket/Token Passing Back
Workaround:
Even in this scenario, the vulnerability may be avoided by enabling 'UsePrivilegeSeparation'. This is done by editing the sshd_config file in /etc/ssh (depending on your os, the config file maybe located elsewhere on the server). When you have completed the change, it should look like this:
UsePrivilegeSeparation yes
You must restart sshd after making any changes to the sshd_config file.
Solution:
Upgrade to the latest version of OpenSSH. Most software vendors have their own updated versions.
2.OpenSSH < 3.3 - Challenge-Response Buffer Overflow
Solution:Upgrade to the latest version of OpenSSH.
Disabling the 'ChallengeResponseAuthentication' and 'PAMAuthenticationViaKbdInt' options and restarting sshd is a short-term workaround.
To enable privilege separation, the following configuration option must be in the sshd_config file (often located at /etc/ssh/sshd_config):
UsePrivilegeSeparation yes
Restart OpenSSH.
Note that this configuration change may break some processes. Given the risk, it is advised that privilege separation be enabled regardless. If this is impossible, OpenSSH should be disabled or blocked until a patch is available.
3. OpenSSH Buffer Management Vulnerabilities
Solution:Workaround:
* Enable PrivilegeSeparation in the sshd_config file.
* Restart SSH. A workaround for Cisco systems is located here:
http://www.securityfocus.com/bid/8628/solution/
Solution:
Upgrade to OpenSSH 3.7.1 or newer. The following link contains specific vendor information relating to upgrades:
http://www.securityfocus.com/bid/8628/solution/
If your vendor was not listed, please contact them directly for a patch, or at the very least, implement the aforementioned workaround.
1.OpenSSH < 3.2.1 - AFS/Kerberos Performing Ticket/Token Passing Back
Workaround:
Even in this scenario, the vulnerability may be avoided by enabling 'UsePrivilegeSeparation'. This is done by editing the sshd_config file in /etc/ssh (depending on your os, the config file maybe located elsewhere on the server). When you have completed the change, it should look like this:
UsePrivilegeSeparation yes
You must restart sshd after making any changes to the sshd_config file.
Solution:
Upgrade to the latest version of OpenSSH. Most software vendors have their own updated versions.
2.OpenSSH < 3.3 - Challenge-Response Buffer Overflow
Solution:Upgrade to the latest version of OpenSSH.
Disabling the 'ChallengeResponseAuthentication' and 'PAMAuthenticationViaKbdInt' options and restarting sshd is a short-term workaround.
To enable privilege separation, the following configuration option must be in the sshd_config file (often located at /etc/ssh/sshd_config):
UsePrivilegeSeparation yes
Restart OpenSSH.
Note that this configuration change may break some processes. Given the risk, it is advised that privilege separation be enabled regardless. If this is impossible, OpenSSH should be disabled or blocked until a patch is available.
3. OpenSSH Buffer Management Vulnerabilities
Solution:Workaround:
* Enable PrivilegeSeparation in the sshd_config file.
* Restart SSH. A workaround for Cisco systems is located here:
http://www.securityfocus.com/bid/8628/solution/
Solution:
Upgrade to OpenSSH 3.7.1 or newer. The following link contains specific vendor information relating to upgrades:
http://www.securityfocus.com/bid/8628/solution/
If your vendor was not listed, please contact them directly for a patch, or at the very least, implement the aforementioned workaround.
