Skip to main content

centOS 6 and CVE-2016-6210

Comments

10 comments

  • cPanelMichael
    Hello, You can read more about this vulnerability at the following URL: Bug 1357442 " CVE-2016-6210 openssh: User enumeration via covert timing channel The best approach for mitigating this issue without using SELinux would be to migrate the accounts to a server running CentOS 7 (a patch is available in RHEL 7, and should reach CentOS 7 in the future). If that's not feasible, one mitigation technique that may decrease the potential of an attack is to disable password authentication using "WHM Home " Security Center " SSH Password Authorization Tweak" since this vulnerability relies on the attacker entering an excessively long password. Thank you.
    0
  • inetbizo
    Michael what you think about compensating controls in /etc/ssh/sshd_conf.conf
    MaxAuthTries 3
    from my github.com/denverprophitjr/Linux-Administration/blob/develop/etc/ssh/sshd_config#L19 repo If you tie this in with CSF/LFD configuration to read syslog and ban IP after the 4th attempt permanently ...
    0
  • cPanelMichael
    Hello, While that may help to some extent, I don't believe this particular vulnerability relies on multiple authentication attempts. A potential attacker could use the long password on the first authentication attempt. Thank you.
    0
  • inetbizo
    Ugh! Pain in the butt to reharden a new server and migrate everyone! Wasn't there a feature request about duplicating all settings to new box as a starting point? One of my very populated CP boxes IS centos6 =(
    0
  • cPanelMichael
    Ugh! Pain in the butt to reharden a new server and migrate everyone! Wasn't there a feature request about duplicating all settings to new box as a starting point? One of my very populated CP boxes IS centos6 =(

    Here's a recent thread on this topic: Two servers the same configuration Thank you.
    0
  • inetbizo
    Hello, You can read more about this vulnerability at the following URL: Bug 1357442 " CVE-2016-6210 openssh: User enumeration via covert timing channel The best approach for mitigating this issue without using SELinux would be to migrate the accounts to a server running CentOS 7 (or backup the accounts to a remote destination, reinstall the OS and cPanel, and then restore the accounts). If that's not feasible, one mitigation technique that may decrease the potential of an attack is to disable password authentication using "WHM Home " Security Center " SSH Password Authorization Tweak" since this vulnerability relies on the attacker entering an excessively long password. Thank you.

    Once migrated to centos 7, how should I respond to a QSV for CVE-2016-6210
    0
  • inetbizo
    Hello, You can read more about this vulnerability at the following URL: Bug 1357442 " CVE-2016-6210 openssh: User enumeration via covert timing channel The best approach for mitigating this issue without using SELinux would be to migrate the accounts to a server running CentOS 7 (or backup the accounts to a remote destination, reinstall the OS and cPanel, and then restore the accounts). If that's not feasible, one mitigation technique that may decrease the potential of an attack is to disable password authentication using "WHM Home " Security Center " SSH Password Authorization Tweak" since this vulnerability relies on the attacker entering an excessively long password. Thank you.

    I nominate CVE-2016-6210 to go into your kb or q/a for pci
    0
  • cPanelMichael
    I nominate CVE-2016-6210 to go into your kb or q/a for pci

    I've opened a case with our Documentation Team (DOC-9353) to see if we can add some information about CVE-2016-6210 to the following document:
    0
  • inetbizo
    I've opened a case with our Documentation Team (DOC-9353) to see if we can add some information about CVE-2016-6210 to the following document:
    0
  • cPanelMichael
    After changing to centOS 7, I am still hit with this CVE. openssh-6.6.1p1-35.el7_3.x86_64

    Hello, It's patched in RHEL 7, however CentOS has yet to publish the patch for CentOS 7. I recommend posting to the CentOS forums for more information on this topic, as it's outside of the control of the cPanel software: CentOS 7 - Security Support - CentOS Note that I've seen reports from other users that were able to pass PCI compliance scans after setting up host access rules for the SSHd service so that connections are denied from all IP addresses except for whitelisted ones: Host Access Control - Documentation - cPanel Documentation
    0

Please sign in to leave a comment.