Tenable found OpenSSH PCI Disputed Vulnerabilities on CentOS 7

General support questions
Post Reply
Suresh_1829
Posts: 4
Joined: 2022/05/11 13:49:29

Tenable found OpenSSH PCI Disputed Vulnerabilities on CentOS 7

Post by Suresh_1829 » 2022/05/13 12:48:47

Hi Team,

In our infra we're having the servers installed with CentOS 7.
Recent scan(by tenable) on the servers found a vulnerability with Current openssh version.

Current version of openssh package is 7.4p1 , please find the below information:

# rpm -qa | grep openssh
openssh-7.4p1-22.el7_9.x86_64
openssh-clients-7.4p1-22.el7_9.x86_64
openssh-server-7.4p1-22.el7_9.x86_64

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# uname -r
3.10.0-1160.62.1.el7.x86_64


Tenable is suggesting us to upgrade openssh package version to 8.2 or higher on these machines.
But, I am sure Red Hat/CentOS 7 started shipping this openssh version 8.x from RHEL/CentOS 8 only.

So, I don't think this is a best practice method, I mean using openssh package with version 8.x on CentOS version 7 ,
I am sure this may leads to many issues due to incompatibility. Please correct me if I am wrong.

Could you please confirm if this is a false-positive and won't applicable for CentOS 7 ? If this is not false-positive and applicable
to CentOS 7 then please do let us know the best recommended solution to address this issue.

Here is an article from tenable regarding this : https://www.tenable.com/plugins/nessus/159492

Please do let us know for any further information.

Thanks & Regards,
Surendra

User avatar
TrevorH
Site Admin
Posts: 33191
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Tenable found OpenSSH PCI Disputed Vulnerabilities on CentOS 7

Post by TrevorH » 2022/05/13 14:28:28

You need them to tell you specific CVE numbers of the flaws they think are present. Given those you can then look at the output from rpm -q --changelog openssh to see if those CVE's are listed as fixed. For example

Code: Select all

* Thu Sep 30 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 7.4p1-22 + 0.10.3-2
- avoid segfault in Kerberos cache cleanup (#1999263)
- fix CVE-2021-41617 (#2008884)
And, no, upgrading to openssh 8.x is not practical or recommended. For a start, where would you get it from? No-one supplies a packaged version of this so you would have to build it yourself and if you do that from source and install it then it will overwrite the one we supply and next time there is an upgrade to ours, it will back out your self-built version and maybe render it non-operational (which I guess is 'secure'!). Or you have to package it yourself and install it as an upgrade, in which case, next time there is a security vulnerability in it and Red Hat fix it then you would not get the updated version of 7.4p1 as your installed one would be a higher version. So you'd have to subscribe to the openssh mailing list to get notification that a newer version was out and then repackage it and rebuild it and reinstall it.

All far too much work. Stick with the CentOS version, run `yum update` regularly and get security updates to the installed copy automatically.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Suresh_1829
Posts: 4
Joined: 2022/05/11 13:49:29

Re: Tenable found OpenSSH PCI Disputed Vulnerabilities on CentOS 7

Post by Suresh_1829 » 2022/05/16 05:52:10

Hi,

CentOS servers have been patched on monthly basis and they are up to date.
So, shall I convey my security team that this vulnerability is a false-positive on CentOS 7 servers as we have been patching
the servers regularly and all the servers are up to date with the latest package versions from CentOS repo?


Regards,
Surendra

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: Tenable found OpenSSH PCI Disputed Vulnerabilities on CentOS 7

Post by jlehtone » 2022/05/16 09:09:48

https://access.redhat.com/security/cve/cve-2020-15778 says: "Will not fix" and explains:
In order to exploit this flaw, the attacker needs to social engineer or manipulate a system administrator (who has root access on the remote server) to run scp with a malicious command line parameter.

Upstream recommends the use of rsync in the place of scp for better security.
So, are you gullible? If yes, then you have true positive and the only option is to replace CentOS 7 with some other distro. (Note that RHEL 8 is a "will not fix" too.)

https://access.redhat.com/security/cve/cve-2016-20012 says: "out of support scope" and states:
Although a CVE was assigned upstream and Red Hat doesn't consider it to be a security flaw and won't receive any patch, also the CVE was made as disputed by MITRE. Considering that Red Hat is closing this flaw as NOTABUG.

Post Reply