PCI DSS scan fails OpenSSH
Hi,
My server is running the WHM/cPanel v78.0.23 on latest version of CentOS 7.6
The PCI-DSS scan fails for the SSH security with the following message/recommendation:
[quote]
Threat Reference:
The OpenSSH OPIE for PAM vulnerability was posted to
[] OpenSSH release 7.6.
The OpenSSH - Authentication Attempt Processing vulnerability was posted to
[] SCP client multiple vulnerabilities.
The multiple vulnerabilities fixed in version 7.5 was posted to
[OpenSSH] OpenSSH version higher than 7.9, or install a fix from your operating system vendor.
----------------------------------------
Does cPanel have a fix for this? Or do I need to manually install/upgrade OpenSSH to version 8? I'd rather not do anything manual/outside of cPanel as that usually cause problems down the road. Thanks!
Does cPanel have a fix for this? Or do I need to manually install/upgrade OpenSSH to version 8? I'd rather not do anything manual/outside of cPanel as that usually cause problems down the road. Thanks!
-
I would suggest doing neither. cPanel does not actually provide the openssh packages they are coming from Redhat (via Centos) so cPanel is not able to update this themselves. You can use a comand like this rpm -q --changelog openssh | grep CVE 2007-2768 To check to see if a particular CVE has been patched. On one of my servers running the same OS version I am not seeing where it is. However, my recommendation would be to close SSH in your firewall in any event on a system that needs PCI certification. 0 -
> However, my recommendation would be to close SSH in your firewall in any event on a system that needs PCI certification. This may be a silly question ... but if SSH is closed/blocked via Firewall, how does one connect to it then? Thanks! 0 -
You would whitelist in the firewall any ips that actually should have ssh access. 0 -
Hello @vpswing, It appears your PCI compliance provider is only checking the OpenSSH package's version number and isn't checking to see if the specific vulnerabilities are applicable to the specific operating system and RPMs installed on your system. You should report a false positive to your PCI compliance provider and ask them if there's any specific information they need to prove the false positive. Thank you. 0 -
Thanks @cPanelMichael, thanks @GOT Will try a dispute first and see what they say. cheers! 0 -
@cPanelMichael - you're right. After giving them a screenshot of rpm -q --changelog openssh and rpm -qi openssh, the dispute was approved! We passed the scan test! Thank you! 0
Please sign in to leave a comment.
Comments
6 comments