Red Hat Local Security Checks : RedHat Update for openssh RHSA-2015:0425-01

Vulnerability Search		Search 324607 CVE descriptions and 146377 test descriptions, access 10,000+ cross references.
	Tests CVE All

Test ID: 1.3.6.1.4.1.25623.1.0.871328

Category: Red Hat Local Security Checks

Title: RedHat Update for openssh RHSA-2015:0425-01

Summary: The remote host is missing an update for the 'openssh'; package(s) announced via the referenced advisory.

Description: Summary:
The remote host is missing an update for the 'openssh'
package(s) announced via the referenced advisory.

Vulnerability Insight:
OpenSSH is OpenBSD's SSH (Secure Shell) protocol implementation. These
packages include the core files necessary for both the OpenSSH client and
server.

It was discovered that OpenSSH clients did not correctly verify DNS SSHFP
records. A malicious server could use this flaw to force a connecting
client to skip the DNS SSHFP record check and require the user to perform
manual host verification of the DNS SSHFP record. (CVE-2014-2653)

It was found that when OpenSSH was used in a Kerberos environment, remote
authenticated users were allowed to log in as a different user if they were
listed in the ~
/.k5users file of that user, potentially bypassing intended
authentication restrictions. (CVE-2014-9278)

The openssh packages have been upgraded to upstream version 6.6.1, which
provides a number of bug fixes and enhancements over the previous version.
(BZ#1059667)

Bug fixes:

* An existing /dev/log socket is needed when logging using the syslog
utility, which is not possible for all chroot environments based on the
user's home directories. As a consequence, the sftp commands were not
logged in the chroot setup without /dev/log in the internal sftp subsystem.
With this update, openssh has been enhanced to detect whether /dev/log
exists. If /dev/log does not exist, processes in the chroot environment use
their master processes for logging. (BZ#1083482)

* The buffer size for a host name was limited to 64 bytes. As a
consequence, when a host name was 64 bytes long or longer, the ssh-keygen
utility failed. The buffer size has been increased to fix this bug, and
ssh-keygen no longer fails in the described situation. (BZ#1097665)

* Non-ASCII characters have been replaced by their octal representations in
banner messages in order to prevent terminal re-programming attacks.
Consequently, banners containing UTF-8 strings were not correctly displayed
in a client. With this update, banner messages are processed according to
RFC 3454, control characters have been removed, and banners containing
UTF-8 strings are now displayed correctly. (BZ#1104662)

* Red Hat Enterprise Linux uses persistent Kerberos credential caches,
which are shared between sessions. Previously, the GSSAPICleanupCredentials
option was set to 'yes' by default. Consequently, removing a Kerberos cache
on logout could remove unrelated credentials of other sessions, which could
make the system unusable. To fix this bug, GSSAPICleanupCredentials is set
by default to 'no'. (BZ#1134447)

* Access permissions for the /etc/ssh/moduli file were set to 0600, which
was unnecessarily strict. With this update, the permissions ...

Description truncated, please see the referenced URL(s) for more information.

Affected Software/OS:
openssh on Red Hat Enterprise Linux Server (v. 7)

Solution:
Please Install the Updated Packages.

CVSS Score:
5.8

CVSS Vector:
AV:N/AC:M/Au:N/C:P/I:P/A:N

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2014-2653
BugTraq ID: 66459
http://www.securityfocus.com/bid/66459
Debian Security Information: DSA-2894 (Google Search)
http://www.debian.org/security/2014/dsa-2894
http://lists.fedoraproject.org/pipermail/package-announce/2014-May/133537.html
http://lists.fedoraproject.org/pipermail/package-announce/2014-June/134026.html
HPdes Security Advisory: HPSBUX03188
http://marc.info/?l=bugtraq&m=141576985122836&w=2
HPdes Security Advisory: SSRT101487
http://www.mandriva.com/security/advisories?name=MDVSA-2014:068
http://www.mandriva.com/security/advisories?name=MDVSA-2015:095
http://openwall.com/lists/oss-security/2014/03/26/7
RedHat Security Advisories: RHSA-2014:1552
http://rhn.redhat.com/errata/RHSA-2014-1552.html
RedHat Security Advisories: RHSA-2015:0425
http://rhn.redhat.com/errata/RHSA-2015-0425.html
http://secunia.com/advisories/59855
http://www.ubuntu.com/usn/USN-2164-1
Common Vulnerability Exposure (CVE) ID: CVE-2014-9278
71420
http://www.securityfocus.com/bid/71420
RHSA-2015:0425
[oss-security] 20141202 CVE request: OpenSSH ~/.k5users patch (Fedora and downstreams)
http://www.openwall.com/lists/oss-security/2014/12/02/3
[oss-security] 20141204 Re: CVE request: OpenSSH ~/.k5users patch (Fedora and downstreams)
http://www.openwall.com/lists/oss-security/2014/12/04/17
http://thread.gmane.org/gmane.comp.encryption.kerberos.general/15855
https://bugzilla.mindrot.org/show_bug.cgi?id=1867
https://bugzilla.redhat.com/show_bug.cgi?id=1169843
openssh-gssservkrb5-sec-bypass(99090)
https://exchange.xforce.ibmcloud.com/vulnerabilities/99090

Copyright Copyright (C) 2015 Greenbone AG

This is only one of 146377 vulnerability tests in our test suite. Find out more about running a complete security audit.
To run a free test of this vulnerability against your system, register below.

Test ID:	1.3.6.1.4.1.25623.1.0.871328
Category:	Red Hat Local Security Checks
Title:	RedHat Update for openssh RHSA-2015:0425-01
Summary:	The remote host is missing an update for the 'openssh'; package(s) announced via the referenced advisory.
Description:	Summary: The remote host is missing an update for the 'openssh' package(s) announced via the referenced advisory. Vulnerability Insight: OpenSSH is OpenBSD's SSH (Secure Shell) protocol implementation. These packages include the core files necessary for both the OpenSSH client and server. It was discovered that OpenSSH clients did not correctly verify DNS SSHFP records. A malicious server could use this flaw to force a connecting client to skip the DNS SSHFP record check and require the user to perform manual host verification of the DNS SSHFP record. (CVE-2014-2653) It was found that when OpenSSH was used in a Kerberos environment, remote authenticated users were allowed to log in as a different user if they were listed in the ~ /.k5users file of that user, potentially bypassing intended authentication restrictions. (CVE-2014-9278) The openssh packages have been upgraded to upstream version 6.6.1, which provides a number of bug fixes and enhancements over the previous version. (BZ#1059667) Bug fixes: * An existing /dev/log socket is needed when logging using the syslog utility, which is not possible for all chroot environments based on the user's home directories. As a consequence, the sftp commands were not logged in the chroot setup without /dev/log in the internal sftp subsystem. With this update, openssh has been enhanced to detect whether /dev/log exists. If /dev/log does not exist, processes in the chroot environment use their master processes for logging. (BZ#1083482) * The buffer size for a host name was limited to 64 bytes. As a consequence, when a host name was 64 bytes long or longer, the ssh-keygen utility failed. The buffer size has been increased to fix this bug, and ssh-keygen no longer fails in the described situation. (BZ#1097665) * Non-ASCII characters have been replaced by their octal representations in banner messages in order to prevent terminal re-programming attacks. Consequently, banners containing UTF-8 strings were not correctly displayed in a client. With this update, banner messages are processed according to RFC 3454, control characters have been removed, and banners containing UTF-8 strings are now displayed correctly. (BZ#1104662) * Red Hat Enterprise Linux uses persistent Kerberos credential caches, which are shared between sessions. Previously, the GSSAPICleanupCredentials option was set to 'yes' by default. Consequently, removing a Kerberos cache on logout could remove unrelated credentials of other sessions, which could make the system unusable. To fix this bug, GSSAPICleanupCredentials is set by default to 'no'. (BZ#1134447) * Access permissions for the /etc/ssh/moduli file were set to 0600, which was unnecessarily strict. With this update, the permissions ... Description truncated, please see the referenced URL(s) for more information. Affected Software/OS: openssh on Red Hat Enterprise Linux Server (v. 7) Solution: Please Install the Updated Packages. CVSS Score: 5.8 CVSS Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2014-2653 BugTraq ID: 66459 http://www.securityfocus.com/bid/66459 Debian Security Information: DSA-2894 (Google Search) http://www.debian.org/security/2014/dsa-2894 http://lists.fedoraproject.org/pipermail/package-announce/2014-May/133537.html http://lists.fedoraproject.org/pipermail/package-announce/2014-June/134026.html HPdes Security Advisory: HPSBUX03188 http://marc.info/?l=bugtraq&m=141576985122836&w=2 HPdes Security Advisory: SSRT101487 http://www.mandriva.com/security/advisories?name=MDVSA-2014:068 http://www.mandriva.com/security/advisories?name=MDVSA-2015:095 http://openwall.com/lists/oss-security/2014/03/26/7 RedHat Security Advisories: RHSA-2014:1552 http://rhn.redhat.com/errata/RHSA-2014-1552.html RedHat Security Advisories: RHSA-2015:0425 http://rhn.redhat.com/errata/RHSA-2015-0425.html http://secunia.com/advisories/59855 http://www.ubuntu.com/usn/USN-2164-1 Common Vulnerability Exposure (CVE) ID: CVE-2014-9278 71420 http://www.securityfocus.com/bid/71420 RHSA-2015:0425 [oss-security] 20141202 CVE request: OpenSSH ~/.k5users patch (Fedora and downstreams) http://www.openwall.com/lists/oss-security/2014/12/02/3 [oss-security] 20141204 Re: CVE request: OpenSSH ~/.k5users patch (Fedora and downstreams) http://www.openwall.com/lists/oss-security/2014/12/04/17 http://thread.gmane.org/gmane.comp.encryption.kerberos.general/15855 https://bugzilla.mindrot.org/show_bug.cgi?id=1867 https://bugzilla.redhat.com/show_bug.cgi?id=1169843 openssh-gssservkrb5-sec-bypass(99090) https://exchange.xforce.ibmcloud.com/vulnerabilities/99090
Copyright	Copyright (C) 2015 Greenbone AG