PDA

View Full Version : OpenSSL & OpenSSH vulnerable ?


ghaefb
15th September 2004, 11:18 AM
I did a rootkit check on my FC2 machine today.
Actually I used Rootkit Hunter -> http://www.rootkit.nl/projects/rootkit_hunter.html

It reported:
OpenSSL 0.9.7a [vulnerable]
OpenSSH 3.6.1p2 [vulnerable]

Watch out Root login possible. Possible risk!
So it looks like those versions on SSL/SSH are vulnerable.
I looked for an update rpm... didn't find anything for FC2.

I know I'm being paranoid, but what do you guys think :)

superbnerd
15th September 2004, 11:22 AM
when it says "root login possible," does it mean a vulnerability that would allow escalation, or does it just mean you forgot to disable root login vi ssh?
are there rpms vir yum for rootkit hunter?

imdeemvp
15th September 2004, 11:23 AM
servers issue also?

zephlyn
15th September 2004, 11:47 AM
edit /etc/ssh/sshd_config with PermitRootLogin no

ghaefb
15th September 2004, 12:31 PM
edit /etc/ssh/sshd_config with PermitRootLogin no
I see.... this fixes "Watch out Root login possible. Possible risk!"

But the SSL & SSH are still vulnerable.
Application version scan reports this. It returns "Vulnerable applications: 2"
* Application version scan
- GnuPG 1.2.4 K]
- OpenSSL 0.9.7a ulnerable]
- Procmail MTA 3.22 K]
- OpenSSH 3.6.1p2 ulnerable]

are there rpms vir yum for rootkit hunter?
I don't know.. just download tar.gz. It has an installer script, really easy to install.

mikecurry
15th September 2004, 01:58 PM
I think the programs are just pointing out that if somebody gets hold of the passwords to access your machine through SSH, they can completely screw it, even moreso if the get in as root. Root logins allowed by default is another one of the vunerabilities that Fedora has. If you do not intend t remotly administer your machines, then you can just disable / uninstall SSH... but for most remote administration is essential.

superbnerd
15th September 2004, 10:40 PM
@mikecurry
ssh is not only used for remote administration. many people use it for, guess what, secure remote login. you can run X over it, or any application including vnc. many use it as a secure way of using your computer when you're not at your computer. however, it would be wise to disable remote root login by default.

email68
18th October 2004, 04:42 AM
I was about to post a seperate thread asking about security of ssh and ssl.

I have been playing around with these on my FC2 box.

It seems when you connect to the ports where these are active, the remote merely asks you if you trust the source certificate. You say ok and off you go.

Granted you now need the login and password. However you get to that point.

So my question is how secure are these technologies if you automatically get the key when you try to log into the port?

What good are the keys and certificates if you still get a log in prompt?

-email68

crackers
18th October 2004, 06:06 AM
It's actually pretty simple: you trust them, not the other way 'round. For SSH, you still have to provide your credentials (login) to get access. if you're set up to be the server, you're basically saying, "Look - here's my credentials, you can trust me." As for the key encryption, take a look at $HOME/.ssh/known_hosts and you can see the encrypted keys. Obviously, for further reading man ssh and http://www.google.com/search?hl=en&lr=&q=rsa+authenication+public+key&btnG=Search

pigpen
19th October 2004, 12:10 AM
I was about to post a seperate thread asking about security of ssh and ssl.
...

... me too. so to come back to the initial question: Are our versions of OpenSSH and OpenSSL vulnerable or are they not?
Or does the Fedora team backport patches for security holes from newer versions?

blammo
19th October 2004, 01:32 AM
I think you hit the nail on the head. In the rkhunter FAQ it says that these are probably false positives because they are patched.

pigpen
19th October 2004, 02:01 PM
Ok. Let's hope so ;)