Article 10909 at 07/10/19 10:59:08 From: bq (at mark) solarspeed.net Subject: [coba-e:10909] Re: ssh vulnerability question

Index: [Article Count Order] [Thread]
Date:  Fri, 19 Oct 2007 03:58:45 +0200
From:  Michael Stauber <bq (at mark) solarspeed.net>
Subject:  [coba-e:10909] Re: ssh vulnerability question
To:  coba-e (at mark) bluequartz.org
Message-Id:  <200710190358.45769.bq (at mark) solarspeed.net>
In-Reply-To:  <091801c811b1$58c50690$6700a8c0@OfficeKen>
References:  <bb9e5a970710161411o6659e0atd46dda2d838bad62 (at mark) mail.gmail.com> <bb9e5a970710171636g4a4e4564i72569ed2d8fe87db (at mark) mail.gmail.com> <091801c811b1$58c50690$6700a8c0 (at mark) OfficeKen>
X-Mail-Count: 10909

Hi Ken,

> Scanalert.com is showing a vulnerability for SSH where
> GssapiAuthentication is set to yes
>
> http://www.openssh.com/txt/release-4.4
> Solution : Upgrade to OpenSSH 4.4 or later.
> Risk factor :  High / CVSS Base Score : 7.6
> (CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C)
> CVE : CVE-2006-5051, CVE-2006-5052
> BID : 20241, 20245
> Other references : OSVDB:29264
>
> Is this actually a vulnerability?

On a fully patched BlueQuartz you'll find openssh-3.9p1-8.RHEL4.20 installed. 

The SRPM for it is available here:
http://mirror.centos.org/centos/4/os/SRPMS/openssh-3.9p1-8.RHEL4.20.src.rpm

The changelogs show what has been patched and usually also list the revevant 
CVE numbers:

--------------------------------------------------------------------------------------------------------------
%changelog
* Fri Nov 10 2006 Tomas Mraz <tmraz (at mark) redhat.com> 3.9p1-8.RHEL4.20
- CVE-2006-5794 properly detect failed key verify in monitor (#214640)

* Tue Oct 10 2006 Tomas Mraz <tmraz (at mark) redhat.com> 3.9p1-8.RHEL4.19
- add support for hashed known_hosts file (#162681)

* Thu Oct  5 2006 Tomas Mraz <tmraz (at mark) redhat.com> 3.9p1-8.RHEL4.18
- fixed client behaviour when remote program generates large output (#184357)
- don't report duplicate syslog messages, use correct local time (#203671)
- don't set IPV6_V6ONLY sock opt when listening on wildcard addr (#201594)
- fix audit patch to include loginrec.h in auth.c (#193710)

* Thu Sep 28 2006 Tomas Mraz <tmraz (at mark) redhat.com> 3.9p1-8.RHEL4.17
- CVE-2006-5051 don't call cleanups from signal handler (#208347)
[snip]
--------------------------------------------------------------------------------------------------------------

CVE-2006-5051 and CVE-2006-5052 deal both with GSSAPI issues, where 
CVE-2006-5051 may lead to  a crash and CVE-2006-5052 allows to find out if a 
user is a valid user or not by simply timing how long OpenSSH takes to 
authenticate.

When you look the CVE numbers up at ...

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5051
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5052

... you'll see a list of affected vendors and links to their own related 
publications.

When you check the RedHat related links for CVE-2006-5051 and CVE-2006-5052 
they both lead to the same page:

http://rhn.redhat.com/errata/RHSA-2006-0697.html

So both issues appear to be patched in openssh-3.9p1-8.RHEL4.20. 

-- 
With best regards,

Michael Stauber
http://www.solarspeed.net