Scientific Linux Security Update : openssh on SL6.x i386/x86_64

This script is Copyright (C) 2014-2016 Tenable Network Security, Inc.


Synopsis :

The remote Scientific Linux host is missing one or more security
updates.

Description :

It was discovered that OpenSSH clients did not correctly verify DNS
SSHFP records. A malicious server could use this flaw to force a
connecting client to skip the DNS SSHFP record check and require the
user to perform manual host verification of the DNS SSHFP record.
(CVE-2014-2653)

It was found that OpenSSH did not properly handle certain AcceptEnv
parameter values with wildcard characters. A remote attacker could use
this flaw to bypass intended environment variable restrictions.
(CVE-2014-2532)

This update also fixes the following bugs :

- Based on the SP800-131A information security standard,
the generation of a digital signature using the Digital
Signature Algorithm (DSA) with the key size of 1024 bits
and RSA with the key size of less than 2048 bits is
disallowed after the year 2013. After this update,
ssh-keygen no longer generates keys with less than 2048
bits in FIPS mode. However, the sshd service accepts
keys of size 1024 bits as well as larger keys for
compatibility reasons.

- Previously, the openssh utility incorrectly set the
oom_adj value to -17 for all of its children processes.
This behavior was incorrect because the children
processes were supposed to have this value set to 0.
This update applies a patch to fix this bug and oom_adj
is now properly set to 0 for all children processes as
expected.

- Previously, if the sshd service failed to verify the
checksum of an installed FIPS module using the fipscheck
library, the information about this failure was only
provided at the standard error output of sshd. As a
consequence, the user could not notice this message and
be uninformed when a system had not been properly
configured for FIPS mode. To fix this bug, this behavior
has been changed and sshd now sends such messages via
the syslog service.

- When keys provided by the pkcs11 library were removed
from the ssh agent using the 'ssh-add -e' command, the
user was prompted to enter a PIN. With this update, a
patch has been applied to allow the user to remove the
keys provided by pkcs11 without the PIN.

In addition, this update adds the following enhancements :

- With this update, ControlPersist has been added to
OpenSSH. The option in conjunction with the
ControlMaster configuration directive specifies that the
master connection remains open in the background after
the initial client connection has been closed.

- When the sshd daemon is configured to force the internal
SFTP session, and the user attempts to use a connection
other than SFTP, the appropriate message is logged to
the /var/log/secure file.

- Support for Elliptic Curve Cryptography modes for key
exchange (ECDH) and host user keys (ECDSA) as specified
by RFC5656 has been added to the openssh packages.
However, they are not enabled by default and the user
has to enable them manually.

See also :

http://www.nessus.org/u?0d90dcb6

Solution :

Update the affected packages.

Risk factor :

Medium / CVSS Base Score : 5.8
(CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N)

Family: Scientific Linux Local Security Checks

Nessus Plugin ID: 78641 ()

Bugtraq ID:

CVE ID: CVE-2014-2532
CVE-2014-2653

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now