Executive Summary
Summary | |
---|---|
Title | openssh security, bug fix and enhancement update |
Informations | |||
---|---|---|---|
Name | RHSA-2015:0425 | First vendor Publication | 2015-03-05 |
Vendor | RedHat | Last vendor Modification | 2015-03-05 |
Severity (Vendor) | Moderate | Revision | 02 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:M/Au:N/C:P/I:P/A:N) | |||
---|---|---|---|
Cvss Base Score | 5.8 | Attack Range | Network |
Cvss Impact Score | 4.9 | Attack Complexity | Medium |
Cvss Expoit Score | 8.6 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Problem Description: Updated openssh packages that fix two security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client (v. 7) - x86_64 Red Hat Enterprise Linux Client Optional (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64 Red Hat Enterprise Linux Server (v. 7) - ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - x86_64 Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64 3. Description: OpenSSH is OpenBSD's SSH (Secure Shell) protocol implementation. These packages include the core files necessary for both the OpenSSH client and server. It was discovered that OpenSSH clients did not correctly verify DNS SSHFP records. A malicious server could use this flaw to force a connecting client to skip the DNS SSHFP record check and require the user to perform manual host verification of the DNS SSHFP record. (CVE-2014-2653) It was found that when OpenSSH was used in a Kerberos environment, remote authenticated users were allowed to log in as a different user if they were listed in the ~/.k5users file of that user, potentially bypassing intended authentication restrictions. (CVE-2014-9278) The openssh packages have been upgraded to upstream version 6.6.1, which provides a number of bug fixes and enhancements over the previous version. (BZ#1059667) Bug fixes: * An existing /dev/log socket is needed when logging using the syslog utility, which is not possible for all chroot environments based on the user's home directories. As a consequence, the sftp commands were not logged in the chroot setup without /dev/log in the internal sftp subsystem. With this update, openssh has been enhanced to detect whether /dev/log exists. If /dev/log does not exist, processes in the chroot environment use their master processes for logging. (BZ#1083482) * The buffer size for a host name was limited to 64 bytes. As a consequence, when a host name was 64 bytes long or longer, the ssh-keygen utility failed. The buffer size has been increased to fix this bug, and ssh-keygen no longer fails in the described situation. (BZ#1097665) * Non-ASCII characters have been replaced by their octal representations in banner messages in order to prevent terminal re-programming attacks. Consequently, banners containing UTF-8 strings were not correctly displayed in a client. With this update, banner messages are processed according to RFC 3454, control characters have been removed, and banners containing UTF-8 strings are now displayed correctly. (BZ#1104662) * Red Hat Enterprise Linux uses persistent Kerberos credential caches, which are shared between sessions. Previously, the GSSAPICleanupCredentials option was set to "yes" by default. Consequently, removing a Kerberos cache on logout could remove unrelated credentials of other sessions, which could make the system unusable. To fix this bug, GSSAPICleanupCredentials is set by default to "no". (BZ#1134447) * Access permissions for the /etc/ssh/moduli file were set to 0600, which was unnecessarily strict. With this update, the permissions for /etc/ssh/moduli have been changed to 0644 to make the access to the file easier. (BZ#1134448) * Due to the KRB5CCNAME variable being truncated, the Kerberos ticket cache was not found after login using a Kerberos-enabled SSH connection. The underlying source code has been modified to fix this bug, and Kerberos authentication works as expected in the described situation. (BZ#1161173) Enhancements: * When the sshd daemon is configured to force the internal SFTP session, a connection other then SFTP is used, the appropriate message is logged to the /var/log/secure file. (BZ#1130198) * The sshd-keygen service was run using the "ExecStartPre=-/usr/sbin/sshd-keygen" option in the sshd.service unit file. With this update, the separate sshd-keygen.service unit file has been added, and sshd.service has been adjusted to require sshd-keygen.service. (BZ#1134997) Users of openssh are advised to upgrade to these updated packages, which correct these issues and add these enhancements. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 912792 - ssh client showing Connection closed by UNKNOWN after timeout at password prompt 1071967 - Inconsistent error message when generating keys in FIPS mode 1081338 - CVE-2014-2653 openssh: failure to check DNS SSHFP records in certain scenarios 1084079 - sftp / symlink does not create relative links 1097665 - ssh-keygen with error : gethostname: File name too long 1102288 - AuthorizedKeysCommand does not work under the Match section 1134997 - sshd.service shouldn't call /usr/sbin/sshd-keygen directly using ExecStartPre 1143867 - sshd fails to start in FIPS mode due to ED25519 key generation 1153011 - sshd requires that .k5login exists even if krb5_kuserok() returns TRUE 1155626 - KerberosUseKuserok default changed from "yes" to "no" 1161173 - sshd sets KRB5CCNAME environment variable with a truncated value 1162620 - fatal: monitor_read: unsupported request: 82 on server while attempting GSSAPI key exchange 1169843 - CVE-2014-9278 openssh: ~/.k5users unexpectedly grants remote login |
Original Source
Url : https://rhn.redhat.com/errata/RHSA-2015-0425.html |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
50 % | CWE-287 | Improper Authentication |
50 % | CWE-20 | Improper Input Validation |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:24470 | |||
Oval ID: | oval:org.mitre.oval:def:24470 | ||
Title: | DSA-2894-1 openssh - security update | ||
Description: | Two vulnerabilities were discovered in OpenSSH, an implementation of the SSH protocol suite. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-2894-1 CVE-2014-2532 CVE-2014-2653 | Version: | 5 |
Platform(s): | Debian GNU/Linux 6.0 Debian GNU/Linux 7 Debian GNU/kFreeBSD 6.0 Debian GNU/kFreeBSD 7 | Product(s): | openssh |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:24663 | |||
Oval ID: | oval:org.mitre.oval:def:24663 | ||
Title: | USN-2164-1 -- openssh vulnerability | ||
Description: | A malicious server could bypass OpenSSH SSHFP DNS record checking. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-2164-1 CVE-2014-2653 | Version: | 5 |
Platform(s): | Ubuntu 13.10 Ubuntu 12.10 Ubuntu 12.04 | Product(s): | openssh |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:24911 | |||
Oval ID: | oval:org.mitre.oval:def:24911 | ||
Title: | AIX OpenSSH Vulnerability | ||
Description: | The verify_host_key function in sshconnect.c in the client in OpenSSH 6.6 and earlier allows remote servers to trigger the skipping of SSHFP DNS RR checking by presenting an unacceptable HostCertificate. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2014-2653 | Version: | 4 |
Platform(s): | IBM AIX 6.1 IBM AIX 7.1 | Product(s): | |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:26117 | |||
Oval ID: | oval:org.mitre.oval:def:26117 | ||
Title: | SUSE-SU-2014:0818-1 -- Security update for openssh | ||
Description: | This update for OpenSSH fixes the several issues. | ||
Family: | unix | Class: | patch |
Reference(s): | SUSE-SU-2014:0818-1 CVE-2014-2532 CVE-2014-2653 | Version: | 3 |
Platform(s): | SUSE Linux Enterprise Server 11 SUSE Linux Enterprise Desktop 11 | Product(s): | openssh |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:26805 | |||
Oval ID: | oval:org.mitre.oval:def:26805 | ||
Title: | RHSA-2014:1552: openssh security, bug fix, and enhancement update (Moderate) | ||
Description: | OpenSSH is OpenBSD's SSH (Secure Shell) protocol implementation. These packages include the core files necessary for both the OpenSSH client and server. It was discovered that OpenSSH clients did not correctly verify DNS SSHFP records. A malicious server could use this flaw to force a connecting client to skip the DNS SSHFP record check and require the user to perform manual host verification of the DNS SSHFP record. (CVE-2014-2653) It was found that OpenSSH did not properly handle certain AcceptEnv parameter values with wildcard characters. A remote attacker could use this flaw to bypass intended environment variable restrictions. (CVE-2014-2532) This update also fixes the following bugs: * Based on the SP800-131A information security standard, the generation of a digital signature using the Digital Signature Algorithm (DSA) with the key size of 1024 bits and RSA with the key size of less than 2048 bits is disallowed after the year 2013. After this update, ssh-keygen no longer generates keys with less than 2048 bits in FIPS mode. However, the sshd service accepts keys of size 1024 bits as well as larger keys for compatibility reasons. (BZ#993580) * Previously, the openssh utility incorrectly set the oom_adj value to -17 for all of its children processes. This behavior was incorrect because the children processes were supposed to have this value set to 0. This update applies a patch to fix this bug and oom_adj is now properly set to 0 for all children processes as expected. (BZ#1010429) * Previously, if the sshd service failed to verify the checksum of an installed FIPS module using the fipscheck library, the information about this failure was only provided at the standard error output of sshd. As a consequence, the user could not notice this message and be uninformed when a system had not been properly configured for FIPS mode. To fix this bug, this behavior has been changed and sshd now sends such messages via the syslog service. (BZ#1020803) * When keys provided by the pkcs11 library were removed from the ssh agent using the "ssh-add -e" command, the user was prompted to enter a PIN. With this update, a patch has been applied to allow the user to remove the keys provided by pkcs11 without the PIN. (BZ#1042519) In addition, this update adds the following enhancements: * With this update, ControlPersist has been added to OpenSSH. The option in conjunction with the ControlMaster configuration directive specifies that the master connection remains open in the background after the initial client connection has been closed. (BZ#953088) * When the sshd daemon is configured to force the internal SFTP session, and the user attempts to use a connection other than SFTP, the appropriate message is logged to the /var/log/secure file. (BZ#997377) * Support for Elliptic Curve Cryptography modes for key exchange (ECDH) and host user keys (ECDSA) as specified by RFC5656 has been added to the openssh packages. However, they are not enabled by default and the user has to enable them manually. For more information on how to configure ECDSA and ECDH with OpenSSH, see: https://access.redhat.com/solutions/711953 (BZ#1028335) All openssh users are advised to upgrade to these updated packages, which contain backported patches to correct these issues and add these enhancements. | ||
Family: | unix | Class: | patch |
Reference(s): | RHSA-2014:1552-01 CVE-2014-2532 CVE-2014-2653 CESA-2014:1552 | Version: | 5 |
Platform(s): | Red Hat Enterprise Linux 6 CentOS Linux 6 | Product(s): | openssh |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:27085 | |||
Oval ID: | oval:org.mitre.oval:def:27085 | ||
Title: | ELSA-2014-1552 -- openssh security, bug fix, and enhancement update | ||
Description: | [5.3p1-104] - ignore SIGXFSZ in postauth monitor child (#1133906) [5.3p1-103] - don't try to generate DSA keys in the init script in FIPS mode (#1118735) [5.3p1-102] - ignore SIGPIPE in ssh-keyscan (#1108836) [5.3p1-101] - ssh-add: fix fatal exit when removing card (#1042519) [5.3p1-100] - fix race in backported ControlPersist patch (#953088) [5.3p1-99.2] - skip requesting smartcard PIN when removing keys from agent (#1042519) [5.3p1-98] - add possibility to autocreate only RSA key into initscript (#1111568) - fix several issues reported by coverity [5.3p1-97] - x11 forwarding - be less restrictive when can't bind to one of available addresses (#1027197) - better fork error detection in audit patch (#1028643) - fix openssh-5.3p1-x11.patch for non-linux platforms (#1100913) [5.3p1-96] - prevent a server from skipping SSHFP lookup (#1081338) CVE-2014-2653 - ignore environment variables with embedded '=' or '\0' characters CVE-2014-2532 - backport ControlPersist option (#953088) - log when a client requests an interactive session and only sftp is allowed (#997377) - don't try to load RSA1 host key in FIPS mode (#1009959) - restore Linux oom_adj setting when handling SIGHUP to maintain behaviour over restart (#1010429) - ssh-keygen -V - relative-specified certificate expiry time should be relative to current time (#1022459) [5.3p1-95] - adjust the key echange DH groups and ssh-keygen according to SP800-131A (#993580) - log failed integrity test if /etc/system-fips exists (#1020803) - backport ECDSA and ECDH support (#1028335) | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2014-1552 CVE-2014-2532 CVE-2014-2653 | Version: | 6 |
Platform(s): | Oracle Linux 6 | Product(s): | openssh |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:28274 | |||
Oval ID: | oval:org.mitre.oval:def:28274 | ||
Title: | HP-UX running HP Secure Shell, Remote Denial of Service (DoS) and other Vulnerabilities | ||
Description: | The verify_host_key function in sshconnect.c in the client in OpenSSH 6.6 and earlier allows remote servers to trigger the skipping of SSHFP DNS RR checking by presenting an unacceptable HostCertificate. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2014-2653 | Version: | 8 |
Platform(s): | HP-UX 11 | Product(s): | |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2016-06-15 | Name : The remote device is missing a vendor-supplied security patch. File : f5_bigip_SOL15780.nasl - Type : ACT_GATHER_INFO |
2016-03-22 | Name : The remote OracleVM host is missing one or more security updates. File : oraclevm_OVMSA-2016-0038.nasl - Type : ACT_GATHER_INFO |
2015-03-30 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2015-095.nasl - Type : ACT_GATHER_INFO |
2015-03-26 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20150305_openssh_on_SL7_x.nasl - Type : ACT_GATHER_INFO |
2015-03-18 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2015-0425.nasl - Type : ACT_GATHER_INFO |
2015-03-10 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2015-0425.nasl - Type : ACT_GATHER_INFO |
2015-03-05 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2015-0425.nasl - Type : ACT_GATHER_INFO |
2014-11-12 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2014-1552.nasl - Type : ACT_GATHER_INFO |
2014-10-23 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20141014_openssh_on_SL6_x.nasl - Type : ACT_GATHER_INFO |
2014-10-23 | Name : A secure shell client on the remote host could be used to bypass host verific... File : openssh_sshfp_verification_weakness.nasl - Type : ACT_GATHER_INFO |
2014-10-21 | Name : The remote Slackware host is missing a security update. File : Slackware_SSA_2014-293-01.nasl - Type : ACT_GATHER_INFO |
2014-10-17 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2014-1552.nasl - Type : ACT_GATHER_INFO |
2014-10-14 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2014-1552.nasl - Type : ACT_GATHER_INFO |
2014-10-12 | Name : The remote Amazon Linux AMI host is missing a security update. File : ala_ALAS-2014-369.nasl - Type : ACT_GATHER_INFO |
2014-06-20 | Name : The remote AIX host has a vulnerable version of OpenSSH. File : aix_openssh_advisory4.nasl - Type : ACT_GATHER_INFO |
2014-06-19 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_openssh-140607.nasl - Type : ACT_GATHER_INFO |
2014-06-19 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_openssh-140606.nasl - Type : ACT_GATHER_INFO |
2014-06-10 | Name : The remote Fedora host is missing a security update. File : fedora_2014-6569.nasl - Type : ACT_GATHER_INFO |
2014-05-22 | Name : The remote Fedora host is missing a security update. File : fedora_2014-6380.nasl - Type : ACT_GATHER_INFO |
2014-04-10 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2014-068.nasl - Type : ACT_GATHER_INFO |
2014-04-08 | Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-2164-1.nasl - Type : ACT_GATHER_INFO |
2014-04-07 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-2894.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2015-12-05 13:27:51 |
|
2015-03-19 13:28:28 |
|
2015-03-06 13:26:05 |
|
2015-03-05 21:22:36 |
|