Scientific Linux Security Update : openssh on SL7.x x86_64

This script is Copyright (C) 2015 Tenable Network Security, Inc.


Synopsis :

The remote Scientific Linux host is missing one or more security
updates.

Description :

It was discovered that OpenSSH clients did not correctly verify DNS
SSHFP records. A malicious server could use this flaw to force a
connecting client to skip the DNS SSHFP record check and require the
user to perform manual host verification of the DNS SSHFP record.
(CVE-2014-2653)

It was found that when OpenSSH was used in a Kerberos environment,
remote authenticated users were allowed to log in as a different user
if they were listed in the ~/.k5users file of that user, potentially
bypassing intended authentication restrictions. (CVE-2014-9278)

The openssh packages have been upgraded to upstream version 6.6.1,
which provides a number of bug fixes and enhancements over the
previous version.

Bug fixes :

- An existing /dev/log socket is needed when logging using
the syslog utility, which is not possible for all chroot
environments based on the user's home directories. As a
consequence, the sftp commands were not logged in the
chroot setup without /dev/log in the internal sftp
subsystem. With this update, openssh has been enhanced
to detect whether /dev/log exists. If /dev/log does not
exist, processes in the chroot environment use their
master processes for logging.

- The buffer size for a host name was limited to 64 bytes.
As a consequence, when a host name was 64 bytes long or
longer, the ssh-keygen utility failed. The buffer size
has been increased to fix this bug, and ssh-keygen no
longer fails in the described situation.

- Non-ASCII characters have been replaced by their octal
representations in banner messages in order to prevent
terminal re-programming attacks. Consequently, banners
containing UTF-8 strings were not correctly displayed in
a client. With this update, banner messages are
processed according to RFC 3454, control characters have
been removed, and banners containing UTF-8 strings are
now displayed correctly.

- Scientific Linux uses persistent Kerberos credential
caches, which are shared between sessions. Previously,
the GSSAPICleanupCredentials option was set to 'yes' by
default. Consequently, removing a Kerberos cache on
logout could remove unrelated credentials of other
sessions, which could make the system unusable. To fix
this bug, GSSAPICleanupCredentials is set by default to
'no'.

- Access permissions for the /etc/ssh/moduli file were set
to 0600, which was unnecessarily strict. With this
update, the permissions for /etc/ssh/moduli have been
changed to 0644 to make the access to the file easier.

- Due to the KRB5CCNAME variable being truncated, the
Kerberos ticket cache was not found after login using a
Kerberos-enabled SSH connection. The underlying source
code has been modified to fix this bug, and Kerberos
authentication works as expected in the described
situation.

Enhancements :

- When the sshd daemon is configured to force the internal
SFTP session, a connection other then SFTP is used, the
appropriate message is logged to the /var/log/secure
file.

- The sshd-keygen service was run using the
'ExecStartPre=-/usr/sbin/sshd- keygen' option in the
sshd.service unit file. With this update, the separate
sshd-keygen.service unit file has been added, and
sshd.service has been adjusted to require
sshd-keygen.service.

See also :

http://www.nessus.org/u?7cd45b81

Solution :

Update the affected packages.

Risk factor :

Medium / CVSS Base Score : 5.8
(CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N)

Family: Scientific Linux Local Security Checks

Nessus Plugin ID: 82258 ()

Bugtraq ID:

CVE ID: CVE-2014-2653
CVE-2014-9278

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now