Hi all,
We're undergoing a PCI audit, and the internal scan has identified a potential vulnerability with the version of SSH we are using on our Centos boxes.
Specifically, they have advised the following:
7.2.10. Potential OpenSSH J-PAKE Public Parameter Validation Shared Secret Authentication Bypass
The following hosts were seen to be affected:
x.x.x.x ssh (22/tcp)
x.x.x.x ssh (22/tcp)
x.x.x.x ssh (22/tcp)
OpenSSH versions before 5.7 may be affected by a security bypass vulnerability because they do not properly validate the public parameters in the J-PAKENote that this issue is only exploitable when OpenSSH is built with J-PAKE support, which is currently experimental and disabled by default. We have not checked whether J-PAKE support is indeed enabled.
See also:
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/jpake.c#rev1.5
http://seb.dbzteam.org/crypto/jpake-session-key-retrieval.pdf
CVE-2010-4478
BID:45304
OSVDB:69658
RECOMMENDATION
Upgrade to OpenSSH 5.7 or later.
Does anyone know if J-Pake is enabled by default in SSH shipped on centos 6? Is there any way we can test to see if it's enabled?
We've tried updating using YUM packages but it appears that there aren't any for centos 6, and building from sources doesn't seem to work for us.
Thanks,
Scott
[RESOLVED] Is J-Pake enabled by default in SSH in Centos 6?
Re: Is J-Pake enabled by default in SSH in Centos 6?
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-4478
Re: Is J-Pake enabled by default in SSH in Centos 6?
Hi Trevor - I've already found that and sent it to the auditors - their response was that the article applies to RedHat, and that Centos is not RedHat so it's not applicable...is there any other way we can prove it? Any Centos-specific documentation? Or anything that shows that SSH was not changed in Centos from the RedHat configuration?
Thanks,
Scott
Thanks,
Scott
Re: Is J-Pake enabled by default in SSH in Centos 6?
http://wiki.centos.org/FAQ/General#head-d29a2b7e61ffc544973098f9dd49fe4663efba50
http://wiki.centos.org/FAQ/General#head-f7400b504cb8149a830b6be4e689f650a84ff479
Think you should have a whip round and raise enough money to buy your auditors a clue!
http://wiki.centos.org/FAQ/General#head-f7400b504cb8149a830b6be4e689f650a84ff479
Think you should have a whip round and raise enough money to buy your auditors a clue!
Re: Is J-Pake enabled by default in SSH in Centos 6?
Brilliant - have just forwarded all this to our auditors, who have finally agreed to mark this as a false positive. Result!
Thanks for all the support Trevor - much appreciated!
Scott
Thanks for all the support Trevor - much appreciated!
Scott
- AlanBartlett
- Forum Moderator
- Posts: 9345
- Joined: 2007/10/22 11:30:09
- Location: ~/Earth/UK/England/Suffolk
- Contact:
[RESOLVED] Is J-Pake enabled by default in SSH in Centos 6?
Thank you for reporting back.
On that positive note, this thread is now marked [RESOLVED] both for posterity and on your behalf.
On that positive note, this thread is now marked [RESOLVED] both for posterity and on your behalf.