Supposed security vulnerabilities with openssh

Support for security such as Firewalls and securing linux
Posts: 7
Joined: 2015/12/02 19:35:51

Supposed security vulnerabilities with openssh

Postby qpidity » 2016/02/05 17:55:00


We've been asked to look at several vulnerabilities that are coming up in a PCI Compliance scan and needed some advice as to a couple of warnings related to openssh, the supposed solution being to upgrade openssh.

Now I usually take these reports with a grain of salt as I realise that it's prone to false positives as on many occasions I've found that the vulnerability doesn't indeed exist due to Redhat's backporting of patches/updates. On this particular occasion I can't see that that has been done and so I need to remediate this issue asap.

This is the output from the scan:
Security Hole found on port/service "22 / tcp / ssh
OpenSSH < 6.9 Multiple Vulnerabilities
The SSH server running on the remote host is affected by multiple vulnerabilities
According to its banner, the version of OpenSSH running on the remote host is prior to 6.9. It is, therefore, affected by the following vulnerabilities :
- A flaw exists within the x11_open_helper() function in the 'channels.c' file that allows connections to be permitted after 'ForwardX11Timeout' has expired. A remote attacker can exploit this to bypass timeout checks and XSECURITY restrictions. (CVE-2015-5352)
- Various issues were addressed by fixing the weakness in agent locking by increasing the failure delay, storing the salted hash of the password, and using a timing-safe comparison function.
- An out-of-bounds read error exists when handling incorrect pattern lengths. A remote attacker can exploit this to cause a denial of service or disclose sensitive information in the memory.
- An out-of-bounds read error exists when parsing the 'EscapeChar' configuration option.

Looking here Centos 6 is affected and a patch has not been backported so as far as I can see, if we can't somehow patch this vulnerability then we'd need to upgrade our version of openssh in order to pass this item. But I don't know how feasible that is, given that we're running Centos 6.7/Apache 2.2.

Could anyone offer some advice as to how we might go about remediating this vulnerability?

Many thanks in advance

User avatar
Super Jamie
Posts: 308
Joined: 2014/01/10 23:44:51

Re: Supposed security vulnerabilities with openssh

Postby Super Jamie » 2016/02/15 13:14:47

The vulnerability is about X11 Forwarding over SSH.

Disable X forwarding and the unsecure codepath can never be entered.

Code: Select all

X11Forwarding no