OpenSSH J-PAKE Session Key Retrieval Vulnerability

[DamienWebb]

Via Qualys PCI Compliance I have the two following failing for my web server:

Bugtraq ID:	45304
CVE ID:	CVE-2010-4478
Vendor Reference:	OpenSSH J-PAKE
Last Update:	03/01/2013 at 17:10:16
Threat:
OpenSSH is a set of computer programs providing encrypted communication sessions over a computer network using the SSH protocol.

OpenSSH, when J-PAKE is enabled, does not properly validate the public parameters in the J-PAKE protocol. This allows remote attackers to bypass the need for knowledge of the shared secret, and successfully authenticate, by sending crafted values in each round of the protocol.

Affected Software:
OpenSSH versions 5.6 and prior.

Impact:
Successful exploitation allows attacker to get access to the remote system.

Solution:
Upgrade to OpenSSH 5.7 or later, available from the OpenSSH Web site.

Result:
SSH-2.0-OpenSSH_5.3

And

Web Server Uses Plain Text Basic Authentication
QID:	86763
Severity:	2   Vulnerability Severity 2
CVSS Base:	5    AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS Temporal:	3.8    E:U/RL:U/RC:UC
PCI Compliance Status:	FAIL    Info
The QID adheres to the PCI requirements based on the CVSS basescore.
Category:	Web server
Port/Service:	2077 / Web server (tcp)
False Positive:	N/A
Bugtraq ID:	-
CVE ID:	-
Vendor Reference:	-
Last Update:	05/11/2009 at 15:17:19
Threat:
During Web server authentication, communication can take place with the user by Clear Text User Credentials.

Impact:
Using Readable Clear Text can help eavesdropping and thereby compromise confidentiality. An attacker can successfully exploit this issue when the 401 error is returned when authentication is required. Also, an attacker can find out that the Basic Authentication scheme is used using the WWW-authenticate header.

Solution:
Please contact the vendor of the hardware/software for a possible fix for the issue.

Questions are, how can I upgrade OpenSSH on CentOS 6.4 x86_64, and how do I fix "Web Server Uses Plain Text Basic Authentication"

I can't figure it out, any help would be awesome!

 

[Infopro]

The docs may be of some use:
PCI Compliance Scanning and Software Versions - cPanel Documentation

 

[DamienWebb]

Following this guide helped me upgrade to OpenSSH 6.2 from 5.3(default)

ptudor.net/linux/openssh/

 

[quizknows]

Regarding that 2010 openssh CVE, it is a flase positive and does not affect centos6.

https://access.redhat.com/security/cve/CVE-2010-4478

"Not vulnerable. This issue did not affect the versions of openssh as shipped with Red Hat Enterprise Linux 4, 5, or 6."

You should be able to get that waived by providing your PCI vendor that link and your OS release version.

As a general rule of thumb, do NOT upgrade OpenSSH, OpenSSL, or BIND on centOS systems. 99% of things that PCI vendors flag are already fixed via back-ports and just need to be appealed as such. The Redhat site is a good resource, or you can dump the RPM change log to prove that the issue is patched.

port 2077 (your 2nd issue) is webdisk. Hardly anyone uses that, and I recommend just closing the firewall port or disabling the service entirely on PCI compliant systems. Just go to WHM, service manager, and disable "DAV" (cpdavd).

 

[inetbizo]

The docs may be of some use:
PCI Compliance Scanning and Software Versions - cPanel Documentation

Dead link

 

[Infopro]

https://documentation.cpanel.net/display/CKB/PCI+Compliance+and+Software+Versions

New docs site.

HTH!

 

[inetbizo]

https://documentation.cpanel.net/display/CKB/PCI+Compliance+and+Software+Versions

New docs site.

HTH!

Awesome! Thank you. It is missing cipher suite settings for Pure/Pro FTP, Webdisk. How soon can that page be modified?

 

[cPanelMichael]

It is missing cipher suite settings for Pure/Pro FTP, Webdisk. How soon can that page be modified?

Are there specific settings you would like added to the documentation, or are you seeking general input for those services? These threads may help:

https://forums.cpanel.net/threads/i-need-to-disable-tls-v1-0.466611
https://forums.cpanel.net/threads/s...lay-ckb-how-to-adjust-cipher-protocols.432641

Thank you.

 

[inetbizo]

New data security standards. Add new entries for cipher suites that remove RC4, TLS1.0 See https://www.pcisecuritystandards.org/pdfs/15_04_15 PCI DSS 3 1 Press Release.pdf

If that is going to be the overall document overview suggestions from cPanel, I just saw them missing.

 

[cPanelMichael]

For instance, which specific failures are you receiving in your PCI compliance scan results for FTP and Web Disk when using the default settings?

Thank you.

 

[inetbizo]

For instance, which specific failures are you receiving in your PCI compliance scan results for FTP and Web Disk when using the default settings?

Thank you.

Michael are you asking me? If so, I can authorize CP to talk w/ Liquidweb, inc. about my PCI ticket and all the changes we've had to make above the defaults. Massive changes at that.

 

[cPanelMichael]

I don't believe the updating the document is a good idea for the FTP and Web Disk services because some of those changes may result connection issues for certain customers. That being said, you are welcome to post specific documentation requests here and we can forward those requests to our documentation team.

Thank you.

 

[inetbizo]

The documentation is for PCI compliance. You know as well as I that DSS recently changed their requirements such as removing RC4 ciphers. The only one that may have issue is TLS v1.0 You can at least annotate the June 30, 2016 deadline and the suggested settings.

 

[cPanelMichael]

For instance, could you post the PCI compliance scan results for the FTP and Web Disk services that were failures? Also, which specific changes did you make to address the issue for those services that you would like documented?

Thank you.

 

[inetbizo]

For instance, could you post the PCI compliance scan results for the FTP and Web Disk services that were failures? Also, which specific changes did you make to address the issue for those services that you would like documented? Thank you.

I've asked Liquidweb, inc. to respond to this thread to assist with the answer to all CP ports we had to change the cipher, x-frame options, etc.

 

[inetbizo]

For instance, could you post the PCI compliance scan results for the FTP and Web Disk services that were failures? Also, which specific changes did you make to address the issue for those services that you would like documented? Thank you.

Current Apache Pre-Virtual-Host

SSLProtocol all -SSLv2 -SSLv3 -TLSv1
SSLHonorCipherOrder On
SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4

Current FTP TLS Cipher Configuration

HIGH:!aNULL:!eNULL:!PSK:!RC4:!MD5:!TLSv1:!SSLv2:!SSLv3

Current Webdisk Cipher COnfiguration

ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:!RC4:HIGH:!MD5:!aNULL:!EDH

Current Mail Server Cipher Configuration

ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:!RC4+RSA:+HIGH:+MEDIUM:!SSLv2

 

[cPanelMichael]

The following document has been updated as of 10-13-2015:

PCI Compliance and Software Versions - cPanel Knowledge Base - cPanel Documentation

Thank you.