centOS 6 and CVE-2016-6210
According to CVE-2016-6210 - Red Hat Customer Portal "A covert timing channel flaw was found in the way OpenSSH handled authentication of nonexistent users. A remote unauthenticated attacker could possibly use this flaw to determine valid user names by measuring the timing information."
Statement
This issue in OpenSSH is mitigated by the usage of SELinux in Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7.
But, cpanel
-
Hello, You can read more about this vulnerability at the following URL: Bug 1357442 " CVE-2016-6210 openssh: User enumeration via covert timing channel The best approach for mitigating this issue without using SELinux would be to migrate the accounts to a server running CentOS 7 (a patch is available in RHEL 7, and should reach CentOS 7 in the future). If that's not feasible, one mitigation technique that may decrease the potential of an attack is to disable password authentication using "WHM Home " Security Center " SSH Password Authorization Tweak" since this vulnerability relies on the attacker entering an excessively long password. Thank you. 0 -
Michael what you think about compensating controls in /etc/ssh/sshd_conf.conf MaxAuthTries 3
from my github.com/denverprophitjr/Linux-Administration/blob/develop/etc/ssh/sshd_config#L19 repo If you tie this in with CSF/LFD configuration to read syslog and ban IP after the 4th attempt permanently ...0 -
Hello, While that may help to some extent, I don't believe this particular vulnerability relies on multiple authentication attempts. A potential attacker could use the long password on the first authentication attempt. Thank you. 0 -
Ugh! Pain in the butt to reharden a new server and migrate everyone! Wasn't there a feature request about duplicating all settings to new box as a starting point? One of my very populated CP boxes IS centos6 =( 0 -
Ugh! Pain in the butt to reharden a new server and migrate everyone! Wasn't there a feature request about duplicating all settings to new box as a starting point? One of my very populated CP boxes IS centos6 =(
Here's a recent thread on this topic: Two servers the same configuration Thank you.0 -
Hello, You can read more about this vulnerability at the following URL: Bug 1357442 " CVE-2016-6210 openssh: User enumeration via covert timing channel The best approach for mitigating this issue without using SELinux would be to migrate the accounts to a server running CentOS 7 (or backup the accounts to a remote destination, reinstall the OS and cPanel, and then restore the accounts). If that's not feasible, one mitigation technique that may decrease the potential of an attack is to disable password authentication using "WHM Home " Security Center " SSH Password Authorization Tweak" since this vulnerability relies on the attacker entering an excessively long password. Thank you.
Once migrated to centos 7, how should I respond to a QSV for CVE-2016-62100 -
Hello, You can read more about this vulnerability at the following URL: Bug 1357442 " CVE-2016-6210 openssh: User enumeration via covert timing channel The best approach for mitigating this issue without using SELinux would be to migrate the accounts to a server running CentOS 7 (or backup the accounts to a remote destination, reinstall the OS and cPanel, and then restore the accounts). If that's not feasible, one mitigation technique that may decrease the potential of an attack is to disable password authentication using "WHM Home " Security Center " SSH Password Authorization Tweak" since this vulnerability relies on the attacker entering an excessively long password. Thank you.
I nominate CVE-2016-6210 to go into your kb or q/a for pci0 -
After changing to centOS 7, I am still hit with this CVE. openssh-6.6.1p1-35.el7_3.x86_64
Hello, It's patched in RHEL 7, however CentOS has yet to publish the patch for CentOS 7. I recommend posting to the CentOS forums for more information on this topic, as it's outside of the control of the cPanel software: CentOS 7 - Security Support - CentOS Note that I've seen reports from other users that were able to pass PCI compliance scans after setting up host access rules for the SSHd service so that connections are denied from all IP addresses except for whitelisted ones: Host Access Control - Documentation - cPanel Documentation0
Please sign in to leave a comment.
Comments
10 comments