Index: [Article Count Order] [Thread]

Date:  Fri, 19 Oct 2007 20:05:26 +0100
From:  "TUNC ERESEN Skype: eresen" <tunc (at mark) eresen.com>
Subject:  [coba-e:10911] Re: ssh vulnerability question
To:  <coba-e (at mark) bluequartz.org>
Message-Id:  <012a01c81283$0239b050$06ad10f0$@com>
In-Reply-To:  <0e1f01c8127e$11d91dc0$6700a8c0@OfficeKen>
References:  <bb9e5a970710161411o6659e0atd46dda2d838bad62 (at mark) mail.gmail.com> <bb9e5a970710171636g4a4e4564i72569ed2d8fe87db (at mark) mail.gmail.com> <091801c811b1$58c50690$6700a8c0 (at mark) OfficeKen> <200710190358.45769.bq (at mark) solarspeed.net> <0e1f01c8127e$11d91dc0$6700a8c0 (at mark) OfficeKen>
X-Mail-Count: 10911

Hello all 
 Could any one do a pkg? for this problem most of my attacks came from this port and service..

 
Best Regards, 
O. TUNC ERESEN

IT & Security Consultant.
Mobile: (44)07785 363 481     Home: (44)01280 705 828
17 OAK ROAD, BRACKLEY, NORTHANTS, UK, NN13 6ER
tunc AT eresen DOT com  
 
The information contained in this email and any attachment is confidential. It is intended only for the named addressee's. If you are not the named addressee please notify the sender immediately and do not disclose, copy or distribute the contents to any other person other than the intended addressee's.. If you have received this transmission in error it would be helpful if you could notify tunc AT eresen DOT com as soon as possible.
This email is checked by Norton NIS 2004 ,F-prot AV, Spamassassin, MAilscanner, Pyzor and DCC. If you still get issues relating this email please send me a email at tunc AT eresen DOT com  



-----Original Message-----
From: Ken Marcus - Precision Web Hosting, Inc. [mailto:kenmarcus (at mark) precisionweb.net] 
Sent: 19 October 2007 19:30
To: coba-e (at mark) bluequartz.org
Subject: [coba-e:10910] Re: ssh vulnerability question


----- Original Message ----- 
From: "Michael Stauber" <bq (at mark) solarspeed.net>
To: <coba-e (at mark) bluequartz.org>
Sent: Thursday, October 18, 2007 6:58 PM
Subject: [coba-e:10909] Re: ssh vulnerability question


> Hi Ken,
>
>> Scanalert.com is showing a vulnerability for SSH where
>> GssapiAuthentication is set to yes
>>
>> http://www.openssh.com/txt/release-4.4
>> Solution : Upgrade to OpenSSH 4.4 or later.
>> Risk factor :  High / CVSS Base Score : 7.6
>> (CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C)
>> CVE : CVE-2006-5051, CVE-2006-5052
>> BID : 20241, 20245
>> Other references : OSVDB:29264
>>
>> Is this actually a vulnerability?
>
> On a fully patched BlueQuartz you'll find openssh-3.9p1-8.RHEL4.20 
> installed.
>
> The SRPM for it is available here:
> http://mirror.centos.org/centos/4/os/SRPMS/openssh-3.9p1-8.RHEL4.20.src.rpm
>
> The changelogs show what has been patched and usually also list the 
> revevant
> CVE numbers:
>
> --------------------------------------------------------------------------------------------------------------
> %changelog
> * Fri Nov 10 2006 Tomas Mraz <tmraz (at mark) redhat.com> 3.9p1-8.RHEL4.20
> - CVE-2006-5794 properly detect failed key verify in monitor (#214640)
>
> * Tue Oct 10 2006 Tomas Mraz <tmraz (at mark) redhat.com> 3.9p1-8.RHEL4.19
> - add support for hashed known_hosts file (#162681)
>
> * Thu Oct  5 2006 Tomas Mraz <tmraz (at mark) redhat.com> 3.9p1-8.RHEL4.18
> - fixed client behaviour when remote program generates large output 
> (#184357)
> - don't report duplicate syslog messages, use correct local time (#203671)
> - don't set IPV6_V6ONLY sock opt when listening on wildcard addr (#201594)
> - fix audit patch to include loginrec.h in auth.c (#193710)
>
> * Thu Sep 28 2006 Tomas Mraz <tmraz (at mark) redhat.com> 3.9p1-8.RHEL4.17
> - CVE-2006-5051 don't call cleanups from signal handler (#208347)
> [snip]
> --------------------------------------------------------------------------------------------------------------
>
> CVE-2006-5051 and CVE-2006-5052 deal both with GSSAPI issues, where
> CVE-2006-5051 may lead to  a crash and CVE-2006-5052 allows to find out if 
> a
> user is a valid user or not by simply timing how long OpenSSH takes to
> authenticate.
>
> When you look the CVE numbers up at ...
>
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5051
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5052
>
> ... you'll see a list of affected vendors and links to their own related
> publications.
>
> When you check the RedHat related links for CVE-2006-5051 and 
> CVE-2006-5052
> they both lead to the same page:
>
> http://rhn.redhat.com/errata/RHSA-2006-0697.html
>
> So both issues appear to be patched in openssh-3.9p1-8.RHEL4.20.
>
> -- 
> With best regards,
>
> Michael Stauber
> http://www.solarspeed.net


Thanks again Michael

When I run
yum list | grep  ssh
I see that I was OK    (except on that one old server that I had forgotten 
about).



----
Ken Marcus
Ecommerce Web Hosting by
Precision Web Hosting, Inc.
http://www.precisionweb.net