OpenSSH Update for PCI Compliance

[timypcr]

According to our third-party PCI scanner (conducted by Trustwave) current OpenSSH version is no longer supported.

The version of OpenSSH detected is no longer supported by the vendor.
No further security patches or upgrades will be released by the vendor
for this version, and the vendor will not evaluate this version when
investigating new vulnerability reports.
This finding is based on version information which may not have been.

The scan also references:

Local privilege escalation vulnerability present in OpenSSH before 7.4.
When sshd runs with root privileges, forwarded Unix-domain sockets
are created with root permissions. Vulnerability is related to
serverloop.c.

This finding is based on version information which may not have been
updated by previously installed patches (e.g., Red Hat "back ports").
Please submit a "Patched Service" dispute in TrustKeeper if this
vulnerability has already been patched.
CVE: CVE-2016-10010
NVD: CVE-2016-10010
CVSSv2: AV:L/AC:M/Au:N/C:C/I:C/A:C
Service: ssh
Application: opensshpenssh
Reference:
http://www.openwall.com/lists/oss-security/2016/12/19/2

and

OpenSSH before 7.2p2 allows remote attackers to bypass shell
command restrictions via manipulated X11 forwarding data.
This finding is based on version information which may not have been
updated by previously installed patches (e.g., Red Hat "back ports").
Please submit a "Patched Service" dispute in TrustKeeper if this
vulnerability has already been patched.
CVE: CVE-2016-3115
NVD: CVE-2016-3115
CVSSv2: AV:N/AC:L/Au:S/C/I/A:N
Service: ssh
Application: opensshpenssh
Reference:
http://cvsweb.openbsd.org/cgibin/
cvsweb/src/usr.bin/ssh/session.c.diff?r1=1.281&r2=1.282&f=h
Evidence:
Match: '7.2 FreeBSD-20160310' is less than or equal to '7.2p2'

The current version running on FreeBSD 11.0-RELEASE-p1 is OpenSSH_7.2p2, OpenSSL 1.0.2j-freebsd and a pkg audit shows 0 problems. Also running pkg upgrade does not show any available OpenSSH update. I'm assuming that these patches have been back ported to OpenSSH_7.2p2?

Thanks,
Tim

 

[ekingston]

First of all, pkg audit won't help you with OpenSSH. Ssh is part of the base OS in FreeBSD and is not managed by pkg. You would need to use freebsd-version and freebsd-update for the OS.

Secondly, FreeBSD 11.0 (the version you identified as using) is supported until October 26, 2017. After that you need to run FreeBSD 11.1 to get security updates. https://www.freebsd.org/security/index.html#sup

Here is the FreeBSD security advisory related to the CVE ID you mentioned.
https://www.freebsd.org/security/advisories/FreeBSD-SA-17:01.openssh.asc

 

[SirDice]

Note that security fixes for OpenSSH in the base are back-ported. Brain-dead scanners can't cope with that and will complain about vulnerabilities that have been patched already.

CVE: CVE-2016-10010

https://www.freebsd.org/security/advisories/FreeBSD-SA-17:01.openssh.asc

CVE: CVE-2016-3115

https://www.freebsd.org/security/advisories/FreeBSD-SA-16:14.openssh.asc

https://www.freebsd.org/security/advisories.html

The current version running on FreeBSD 11.0-RELEASE-p1

Note that 11.0 will be EoL in a month or so. Make sure you plan the upgrade to 11.1 some time soon.

 

[timypcr]

Thanks SirDice and ekingston; I do have a question regarding the 11.1 upgrade. Since I have jails that were created by ezjail-admin on this system - I want to make sure I understand the upgrade process.
It's my understanding that I would upgrade the host system from 11.0 to 11.1 first using these instructions https://www.freebsd.org/releases/11.1R/installation.html#upgrade and than after that all I have to do to upgrade the existing jails is run ezjail-admin update -u ? Just want to make sure I understand this correctly (first 11.0 to 11.1 upgrade so I'm a bit nervous) Any tips or clarification would be great.

Thanks again,
Tim

 

[ekingston]

Thanks SirDice and ekingston; I do have a question regarding the 11.1 upgrade. Since I have jails that were created by ezjail-admin on this system - I want to make sure I understand the upgrade process.
It's my understanding that I would upgrade the host system from 11.0 to 11.1 first using these instructions https://www.freebsd.org/releases/11.1R/installation.html#upgrade and than after that all I have to do to upgrade the existing jails is run ezjail-admin update -u ? Just want to make sure I understand this correctly (first 11.0 to 11.1 upgrade so I'm a bit nervous) Any tips or clarification would be great.

Thanks again,
Tim

Hi Tim,

With regards to upgrading the Host OS, I've followed the instructions you referenced for quite few updates (including 10.0, .1, .2, and .3) without issues. While I can't guarantee there will be no issues going from 11.0 to 11.1, I can say I'm not having issues running 11.1 on a new server.

I don't run any jails so I can't give you a confident answer related to upgrading jails, but your description is my understanding of how the process is supposed to work.

I would also suggest that you may want to try in a test environment before upgrading production if you have any concerns. If you do this, it would be a good idea to make sure the development environment has the same software (same versions of that software) and as close to the same configuration as production for testing.

 

[SirDice]

It's my understanding that I would upgrade the host system from 11.0 to 11.1 first using these instructions https://www.freebsd.org/releases/11.1R/installation.html#upgrade and than after that all I have to do to upgrade the existing jails is run ezjail-admin update -u ? Just want to make sure I understand this correctly (first 11.0 to 11.1 upgrade so I'm a bit nervous) Any tips or clarification would be great.

Handbook: 14.6.4. Updating Jails

 

[timypcr]

thanks server has been upgraded to 11.1