OpenSSH J-PAKE Session Key Retrieval Vulnerability
Via Qualys PCI Compliance I have the two following failing for my web server:
And
Questions are, how can I upgrade OpenSSH on CentOS 6.4 x86_64, and how do I fix "Web Server Uses Plain Text Basic Authentication" I can't figure it out, any help would be awesome!
Bugtraq ID: 45304
CVE ID: CVE-2010-4478
Vendor Reference: OpenSSH J-PAKE
Last Update: 03/01/2013 at 17:10:16
Threat:
OpenSSH is a set of computer programs providing encrypted communication sessions over a computer network using the SSH protocol.
OpenSSH, when J-PAKE is enabled, does not properly validate the public parameters in the J-PAKE protocol. This allows remote attackers to bypass the need for knowledge of the shared secret, and successfully authenticate, by sending crafted values in each round of the protocol.
Affected Software:
OpenSSH versions 5.6 and prior.
Impact:
Successful exploitation allows attacker to get access to the remote system.
Solution:
Upgrade to OpenSSH 5.7 or later, available from the OpenSSH Web site.
Result:
SSH-2.0-OpenSSH_5.3And
Web Server Uses Plain Text Basic Authentication
QID: 86763
Severity: 2 Vulnerability Severity 2
CVSS Base: 5 AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS Temporal: 3.8 E:U/RL:U/RC:UC
PCI Compliance Status: FAIL Info
The QID adheres to the PCI requirements based on the CVSS basescore.
Category: Web server
Port/Service: 2077 / Web server (tcp)
False Positive: N/A
Bugtraq ID: -
CVE ID: -
Vendor Reference: -
Last Update: 05/11/2009 at 15:17:19
Threat:
During Web server authentication, communication can take place with the user by Clear Text User Credentials.
Impact:
Using Readable Clear Text can help eavesdropping and thereby compromise confidentiality. An attacker can successfully exploit this issue when the 401 error is returned when authentication is required. Also, an attacker can find out that the Basic Authentication scheme is used using the WWW-authenticate header.
Solution:
Please contact the vendor of the hardware/software for a possible fix for the issue.Questions are, how can I upgrade OpenSSH on CentOS 6.4 x86_64, and how do I fix "Web Server Uses Plain Text Basic Authentication" I can't figure it out, any help would be awesome!
-
The docs may be of some use: PCI Compliance Scanning and Software Versions - cPanel Documentation 0 -
Following this guide helped me upgrade to OpenSSH 6.2 from 5.3(default) ptudor.net/linux/openssh/ 0 -
It is missing cipher suite settings for Pure/Pro FTP, Webdisk. How soon can that page be modified?
Are there specific settings you would like added to the documentation, or are you seeking general input for those services? These threads may help: Thank you.0 -
For instance, which specific failures are you receiving in your PCI compliance scan results for FTP and Web Disk when using the default settings? Thank you. 0 -
For instance, which specific failures are you receiving in your PCI compliance scan results for FTP and Web Disk when using the default settings? Thank you.
Michael are you asking me? If so, I can authorize CP to talk w/ Liquidweb, inc. about my PCI ticket and all the changes we've had to make above the defaults. Massive changes at that.0 -
I don't believe the updating the document is a good idea for the FTP and Web Disk services because some of those changes may result connection issues for certain customers. That being said, you are welcome to post specific documentation requests here and we can forward those requests to our documentation team. Thank you. 0 -
The documentation is for PCI compliance. You know as well as I that DSS recently changed their requirements such as removing RC4 ciphers. The only one that may have issue is TLS v1.0 You can at least annotate the June 30, 2016 deadline and the suggested settings. 0 -
For instance, could you post the PCI compliance scan results for the FTP and Web Disk services that were failures? Also, which specific changes did you make to address the issue for those services that you would like documented? Thank you. 0 -
For instance, could you post the PCI compliance scan results for the FTP and Web Disk services that were failures? Also, which specific changes did you make to address the issue for those services that you would like documented? Thank you.
I've asked Liquidweb, inc. to respond to this thread to assist with the answer to all CP ports we had to change the cipher, x-frame options, etc.0 -
For instance, could you post the PCI compliance scan results for the FTP and Web Disk services that were failures? Also, which specific changes did you make to address the issue for those services that you would like documented? Thank you.
Current Apache Pre-Virtual-HostSSLProtocol all -SSLv2 -SSLv3 -TLSv1 SSLHonorCipherOrder On SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4
Current FTP TLS Cipher ConfigurationHIGH:!aNULL:!eNULL:!PSK:!RC4:!MD5:!TLSv1:!SSLv2:!SSLv3
Current Webdisk Cipher COnfigurationECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:!RC4:HIGH:!MD5:!aNULL:!EDH
Current Mail Server Cipher ConfigurationALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:!RC4+RSA:+HIGH:+MEDIUM:!SSLv20 -
The following document has been updated as of 10-13-2015: PCI Compliance and Software Versions - cPanel Knowledge Base - cPanel Documentation Thank you. 0
Please sign in to leave a comment.
Comments
16 comments