OpenSSH Security Issues

Hello,
I am running opensuse 13.1; see below:

glaird@Adams:~> cat /etc/os-release
NAME=openSUSE
VERSION=“13.1 (Bottle)”
VERSION_ID=“13.1”
PRETTY_NAME=“openSUSE 13.1 (Bottle) (x86_64)”
ID=opensuse
ANSI_COLOR=“0;32”
CPE_NAME=“cpe:/o:opensuse:opensuse:13.1”

My system is located on a network which is scanned periodically for security problems. A recent scan has detected 3 issues with OpenSSH on my system. They are:

OpenSSH Post-authentication sshd Memory Corruption Vulnerability with AES-GCM cipher, CVE-2013-4548
OpenSSH Wildcards on AcceptEnv Vulnerability, CVE-2014-2532
OpenSSH SSHFP DNS resource record look up bypass in the client, CVE-2014-2653

The suggested solution to the problem is to upgrade to OpenSSH version 6.7p1 or later.

I see, looking at the OpenSSH website that the current version is 7.1. How hard is it to upgrade OpenSSH on my version of opensuse? If I do upgrade OpenSSH, what will happen when the automatic update attempts to update OpenSSH?

Thanks,
G Laird

Hi
Scanned (only looks at versions) or tested for the vulnerability?

What version do you have installed, if from updates it should (check the changelog) covers CVE-2013-4548
https://build.opensuse.org/package/view_file/openSUSE:13.1:Update/patchinfo.2223/_patchinfo?expand=1


zypper if openssh

Is it equal to openssh-6.2p2-3.4.1 or greater?

You could always grab the openSUSE 13.1 version from the network repository https://software.opensuse.org/package/openssh which is at 6.6p1.

The first one is fixed in 13.1. If you want two others to be fixed, open bug report.

I assume that it was tested for vulnerabilities–as it was all done from the outside w/o logging in and with attempts to exploit the system. The version of OpenSSH is shown below (output of the zypper command):

Information for package openssh:

Repository: openSUSE-13.1-Update
Name: openssh
Version: 6.2p2-3.4.1
Arch: x86_64
Vendor: openSUSE
Installed: Yes
Status: up-to-date
Installed Size: 3.0 MiB
Summary: Secure Shell Client and Server (Remote Login Program)
Description:
SSH (Secure Shell) is a program for logging into and executing commands
on a remote machine. It is intended to replace rsh (rlogin and rsh) and
provides openssl (secure encrypted communication) between two untrusted
hosts over an insecure network.

So, I do thinik I need to install a newer version of OpenSSH. I am not sure exactly how to do this and then keep everything working when opensuse does automatic updates of OpenSSH and other software.

I am running 13.1 because I have been told that it will be maintained for a longer time than the intermediate updates, e.g. 13.2 …

I am running 13.1 with the current version of OpenSSH.

I assumed that I have been using the most current repository and that the appropriate updates would have been made. As in my previous reply, I am not running 6.6p1. I am using the standard repositories that were set up when I installed the system with a few extras. See below:

Adams:/home/glaird # zypper repos -nu

| Alias | Name | Enabled | Refresh | URI

–±--------------------------±-----------------------------------±--------±--------±---------------------------------------------------------------
1 | packman | packman | Yes | Yes | http://packman.inode.at/suse/openSUSE_13.1/
2 | repo-debug | openSUSE-13.1-Debug | No | Yes | http://download.opensuse.org/debug/distribution/13.1/repo/oss/
3 | repo-debug-update | openSUSE-13.1-Update-Debug | No | Yes | http://download.opensuse.org/debug/update/13.1/
4 | repo-debug-update-non-oss | openSUSE-13.1-Update-Debug-Non-Oss | No | Yes | http://download.opensuse.org/debug/update/13.1-non-oss/
5 | repo-non-oss | openSUSE-13.1-Non-Oss | Yes | Yes | http://download.opensuse.org/distribution/13.1/repo/non-oss/
6 | repo-oss | openSUSE-13.1-Oss | Yes | Yes | http://download.opensuse.org/distribution/13.1/repo/oss/
7 | repo-source | openSUSE-13.1-Source | No | Yes | http://download.opensuse.org/source/distribution/13.1/repo/oss/
8 | repo-update | openSUSE-13.1-Update | Yes | Yes | http://download.opensuse.org/update/13.1/
9 | repo-update-non-oss | openSUSE-13.1-Update-Non-Oss | Yes | Yes | http://download.opensuse.org/update/13.1-non-oss/

So, maybe I will try adding the repository that you suggest.
Thanks.

Most scanners are dumb and never test actual vulnerabilities - they just compare identification strings. Read changelog of your openssh package and see for yourself that the first CVE is fixed there. If you have reasons to not believe it, open bug report.

I see. I am not familiar with the SSH login protocol. From your comment, I am inferring that the server sends some sort of ID string to the client attempting to log in that identifies the communication software (openssh) and the software version number. I didn’t realize that.

I would believe that this scanner is dumb and I have no reason to doubt that the vulnerability has been fixed.

I just need to figure out how to pass the scan so my system quits getting flagged. It seems that I should update openssh but I don’t have a sense for how big a job that is to keep everything working going forward.

Thanks for your help!

Hi
I would suggest raising a bug to confirm if/when the missing two are/where fixed or even applicable (since it may not be vulnerable)
https://en.opensuse.org/openSUSE:Submitting_bug_reports

What you are seeing is common with scanners that just check the version…

I will take your advice and give this a try. Thanks.

On Wed 07 Oct 2015 02:56:01 PM CDT, ngbowl wrote:

malcolmlewis;2731402 Wrote:
> Hi
> I would suggest raising a bug to confirm if/when the missing two
> are/where fixed or even applicable (since it may not be vulnerable)
> openSUSE:Submitting bug reports - openSUSE Wiki
>
> What you are seeing is common with scanners that just check the
> version…
I will take your advice and give this a try. Thanks.

Hi
When done, can you post back the bug number :slight_smile:


Cheers Malcolm °¿° LFCS, SUSE Knowledge Partner (Linux Counter #276890)
SUSE Linux Enterprise Desktop 12 | GNOME 3.10.1 | 3.12.44-52.18-default
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below… Thanks!

I have looked up all three security issues in Bugzilla and they all appear to have been fixed. The specific faults are noted and are noted as “fixed”.

I am not really familiar with Bugzilla so it is hard for me to understand which is the appropriate version of OpenSSH to use or even where to get it. I did look up the bugs in the opensuse 13.1 bugzilla database and this is where the bugs are stated as being fixed. So, it seems like the bugs are fixed in 13.1. I am not sure exactly what to do… I have been updating my system from the opensuse 13.1 repository, so I would think that I should somehow have access to the newer versions of OpenSSH.

Do you have some suggestions as to what I should do?

Thanks!

There were security announcements for other two CVEs for SLE, yes.

I am not really familiar with Bugzilla

So post links to bug reports, someone may have a look.