Ssh – Help updating OpenSSH to v6.6

opensshssh

My system is vulnerable to OpenSSH Wildcards on AcceptEnv Vulnerability, CVE-2014-2532.

I have tried to update openssh to version 6.6 for centos but I can not get repository[sic] for that version.

/EDIT/
PCI-DSS compliance is a driving factor for this question.

Best Answer

The PCI requirement is to:

ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches.

Just randomly downloading unsupported alternative software versions is not what you should be doing...

The Vendor Response is:

The Red Hat Security Response Team has rated this issue as having Low security impact, a future update may address this flaw.

So no Red Hat fix for now and therefore no CentOS fix either.

The reason for that Low Risk assessment is because the default configuration that is shipped by Red Hat and CentOS does not include wildcard (*) AcceptEnv values.

Now the question is, are you vulnerable because you changed the vendor supplied defaults? If so, can you remove/rewrite your custom AcceptEnv wildcards making your system secure again?

Or is the auditor just triggered by the openssh software version number are you not really vulnerable at all?

Because the latter happens all the time...

Related Solutions

Linux – Run Privileged Command on Successful SSH Login

You can do this using PAM and the pam_exec.so module.

You simply add a line to /etc/pam.d/sshd to the 'session' section such as the following:

session    optional    pam_exec.so /usr/local/bin/ipset-ssh

Where ipset-ssh is some script you create.

The script will be run as root. You can get the client's IP address with the PAM_RHOST variable. You'll also want to check the PAM_TYPE variable as your script will be executed both on login, and logout. On login PAM_TYPE will be set to open_session. On logout it's set to close_session.

Here is the complete list of variables that I get from a simple test (I put env > /tmp/pamenv in script):

PAM_SERVICE=sshd
PAM_RHOST=127.0.0.1
GNOME_KEYRING_CONTROL=/home/phemmer/.cache/keyring-vJUUda
PAM_USER=phemmer
PWD=/
GNOME_KEYRING_PID=19742
SHLVL=1
PAM_TYPE=open_session
PAM_TTY=ssh
_=/usr/bin/env

Your script could be as simple as:

#!/bin/bash
[[ "$PAM_TYPE" == "open_session" ]] && ipset add whitelist $PAM_RHOST

Ssh – downside to enabling X11 forwarding in ssh

When writing about this topic, I recommend reading through this paper:

http://www.giac.org/paper/gcih/571/x11-forwarding-ssh-considered-harmful/104780

It describes the consequences of letting ForwardX11 option turned on by default in really nice and prosaic way.

But to sum this up, yes, you should turn this off by default and let it on only for trusted servers where you actually need it in your local ~/.ssh/config file.

Untrusted machine is basically each machine, where somebody else has a root access, because that root can access your whole local X11 session, which is basically a thing you don't want from server in remote data-center or for internet facing machine that could be compromised.

Best Answer

Related Solutions

Linux – Run Privileged Command on Successful SSH Login

Ssh – downside to enabling X11 forwarding in ssh

Related Question