Scan Alert finds cpanel insecure, They found several issues which need to be addresse

EdRooney

BANNED
Oct 21, 2004
166
0
166
hired a company (Scan Alert) to monitor the website for vulnerabilities. They found several issues which need to be addressed.

1.OpenSSH < 3.2.1 - AFS/Kerberos Performing Ticket/Token Passing Back

Workaround:
Even in this scenario, the vulnerability may be avoided by enabling 'UsePrivilegeSeparation'. This is done by editing the sshd_config file in /etc/ssh (depending on your os, the config file maybe located elsewhere on the server). When you have completed the change, it should look like this:
UsePrivilegeSeparation yes
You must restart sshd after making any changes to the sshd_config file.
Solution:
Upgrade to the latest version of OpenSSH. Most software vendors have their own updated versions.

2.OpenSSH < 3.3 - Challenge-Response Buffer Overflow
Solution:Upgrade to the latest version of OpenSSH.
Disabling the 'ChallengeResponseAuthentication' and 'PAMAuthenticationViaKbdInt' options and restarting sshd is a short-term workaround.
To enable privilege separation, the following configuration option must be in the sshd_config file (often located at /etc/ssh/sshd_config):
UsePrivilegeSeparation yes
Restart OpenSSH.
Note that this configuration change may break some processes. Given the risk, it is advised that privilege separation be enabled regardless. If this is impossible, OpenSSH should be disabled or blocked until a patch is available.

3. OpenSSH Buffer Management Vulnerabilities
Solution:Workaround:
* Enable PrivilegeSeparation in the sshd_config file.
* Restart SSH. A workaround for Cisco systems is located here:
http://www.securityfocus.com/bid/8628/solution/
Solution:
Upgrade to OpenSSH 3.7.1 or newer. The following link contains specific vendor information relating to upgrades:
http://www.securityfocus.com/bid/8628/solution/
If your vendor was not listed, please contact them directly for a patch, or at the very least, implement the aforementioned workaround.
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,465
30
473
Go on, have a guess
They're all wrong. RedHat backports the fixes into their stable distribution. This is a common problem with poor automated checking solutions that don't take into account your OS.
 

dezignguy

Well-Known Member
Sep 26, 2004
533
0
166
What OS are you using? Below 3.2.1 is pretty old...

RHEL 3 OpenSSH is at 3.6.1p2 - with the backported fixes.
 

StevenC

Well-Known Member
Jan 1, 2004
252
0
166
Yeah as chirpy said, they are all wrong, however nessus 2.2 looks promising. It has the ability to login to a server and check patches.