Results 1 to 8 of 8

Thread: openSSH and nessus ID 86122 (OpenSSH MaxAuthTries Bypass)

  1. #1
    Join Date
    Feb 2012
    Location
    California
    Posts
    28

    Default openSSH and nessus ID 86122 (OpenSSH MaxAuthTries Bypass)

    Hello,

    Recently a server maintained by me which was running openSuSe 13.2 was banned by campus security of our organisation due to apparent vulnerability with nessus ID 86122. A google search revealed that this ID refers to a vulnerability that allows brute force attacks on the ssh server (https://www.tenable.com/plugins/inde...ingle&id=86122). As a fix it is recommended to upgrade the openSSH version to 7.0 or higher. I upgraded the opensuse version to OpenSuSe Leap but it also contains openSSH 6.6 which is still considered vulnerable. I tried to find a corresponding RPM for higher versions but there seem to be none that would work with openSuSe. I tried then to compile the version 7.1 from source code which, after some trial and error in configuring resulted in apparent success. However, checking the versions of ssh and sshd, I have seen that the former was indeed updated to 7.1 whereas the latter was still 6.6.
    Does anyone has an idea how it is possible to get openSSH 7.0+ working on openSuSe as daemon (sshd). Did I messed something up during the compilation?
    Since this vulnerability is considered to be a high degree risk, I wonder whether openSuSe developers plan to upgrade the openSSH version in any further stable release.
    Does anyone have an idea how to fix this issue?

    Konstl

  2. #2
    Join Date
    Jun 2008
    Location
    Podunk
    Posts
    27,863
    Blog Entries
    15

    Default Re: openSSH and nessus ID 86122 (OpenSSH MaxAuthTries Bypass)

    Hi
    You need to check the CVE reference the scanner is reporting about, since it would appear they just check the version (not the vulnerability) and then look at the changelog for openssh In most cases fixes are backported, not just add the next release.

    For example the latest CVE's for openssh are already addressed and released;
    https://forums.opensuse.org/forumdis...-Announcements
    Cheers Malcolm °¿° SUSE Knowledge Partner (Linux Counter #276890)
    SUSE SLE, openSUSE Leap/Tumbleweed (x86_64) | GNOME DE
    If you find this post helpful and are logged into the web interface,
    please show your appreciation and click on the star below... Thanks!

  3. #3
    Join Date
    Feb 2012
    Location
    California
    Posts
    28

    Default Re: openSSH and nessus ID 86122 (OpenSSH MaxAuthTries Bypass)

    Quote Originally Posted by malcolmlewis View Post
    Hi
    You need to check the CVE reference the scanner is reporting about, since it would appear they just check the version (not the vulnerability) and then look at the changelog for openssh In most cases fixes are backported, not just add the next release.

    For example the latest CVE's for openssh are already addressed and released;
    https://forums.opensuse.org/forumdis...-Announcements

    Hm, the CVE for this issue is CVE-2015-5600. I looked for it in the security update section but could not find any mentioning of it. Is there a way to figure out whether it was fixed? I found some references to SUSE server versions for which this bug was fixed but none for openSUSE. Can one then conclude that this issue was actually never an issue for openSUSE or that it was at least fixed for openSUSE as well since Norell new of that? Or can it be still a real problem?

  4. #4
    Join Date
    Nov 2009
    Location
    West Virginia Sector 13
    Posts
    15,804

    Default Re: openSSH and nessus ID 86122 (OpenSSH MaxAuthTries Bypass)

    It was fixed I remember seeing the update. But it was a back port and some testing software only looks at the version number not the fixes. There should be a patch log some place but I don't know where it is located.

  5. #5
    Join Date
    Jun 2008
    Location
    Podunk
    Posts
    27,863
    Blog Entries
    15

    Default Re: openSSH and nessus ID 86122 (OpenSSH MaxAuthTries Bypass)

    Quote Originally Posted by konstl000 View Post
    Hm, the CVE for this issue is CVE-2015-5600. I looked for it in the security update section but could not find any mentioning of it. Is there a way to figure out whether it was fixed? I found some references to SUSE server versions for which this bug was fixed but none for openSUSE. Can one then conclude that this issue was actually never an issue for openSUSE or that it was at least fixed for openSUSE as well since Norell new of that? Or can it be still a real problem?
    Hi
    Just put the reference into openSUSE Bugzilla
    https://bugzilla.opensuse.org/show_b...=CVE-2015-5600
    https://www.suse.com/security/cve/CVE-2015-5600.html

    Else check via rpm;
    Code:
    rpm -qa --changelog |grep "CVE-2015-5600"
        once per login (CVE-2015-5600/bsc#938746)
        once per login (CVE-2015-5600/bsc#938746)

    Norell? You mean SUSE or Microfocus...?
    Cheers Malcolm °¿° SUSE Knowledge Partner (Linux Counter #276890)
    SUSE SLE, openSUSE Leap/Tumbleweed (x86_64) | GNOME DE
    If you find this post helpful and are logged into the web interface,
    please show your appreciation and click on the star below... Thanks!

  6. #6
    Join Date
    Feb 2012
    Location
    California
    Posts
    28

    Default Re: openSSH and nessus ID 86122 (OpenSSH MaxAuthTries Bypass)

    Novell not Norell - my bad. I mean SUSE. I found the second link you posted but since there was no mentioning of openSUSE I was not sure whether it says anything about it. Is it safe to assume that generally everything that is patched for SUSE is patched for openSUSE as well?

    Thanks for your help.

  7. #7
    Join Date
    Jun 2008
    Location
    Podunk
    Posts
    27,863
    Blog Entries
    15

    Default Re: openSSH and nessus ID 86122 (OpenSSH MaxAuthTries Bypass)

    Quote Originally Posted by konstl000 View Post
    Novell not Norell - my bad. I mean SUSE. I found the second link you posted but since there was no mentioning of openSUSE I was not sure whether it says anything about it. Is it safe to assume that generally everything that is patched for SUSE is patched for openSUSE as well?

    Thanks for your help.
    Hi
    Now that Leap tracks with SLE, then it's a pretty good assumption that fixes are included, but the rpm query will help. There is also a security Mailing List which you can follow;
    https://en.opensuse.org/Communicate
    http://lists.opensuse.org/opensuse-security-announce/

    Plus a sub forum here: https://forums.opensuse.org/forumdis...-Announcements


    For older versions, eg openSUSE 13.2 check the rpm changelog.

    So if you get a hit like that again, you should be able to provide enough info back to the Security Team that all is ok, that if they really want to check, use an actual test rather than a look at version numbers
    Cheers Malcolm °¿° SUSE Knowledge Partner (Linux Counter #276890)
    SUSE SLE, openSUSE Leap/Tumbleweed (x86_64) | GNOME DE
    If you find this post helpful and are logged into the web interface,
    please show your appreciation and click on the star below... Thanks!

  8. #8
    Join Date
    Feb 2012
    Location
    California
    Posts
    28

    Default Re: openSSH and nessus ID 86122 (OpenSSH MaxAuthTries Bypass)

    OK, thank you again. I will use these links in future.
    Quote Originally Posted by malcolmlewis View Post
    Hi
    Now that Leap tracks with SLE, then it's a pretty good assumption that fixes are included, but the rpm query will help. There is also a security Mailing List which you can follow;
    https://en.opensuse.org/Communicate
    http://lists.opensuse.org/opensuse-security-announce/

    Plus a sub forum here: https://forums.opensuse.org/forumdis...-Announcements


    For older versions, eg openSUSE 13.2 check the rpm changelog.

    So if you get a hit like that again, you should be able to provide enough info back to the Security Team that all is ok, that if they really want to check, use an actual test rather than a look at version numbers

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •