/** * This is the notes section. CVE documents should ONLY be created by employees of ClearCenter with the authority to make statements on behalf of the company. If you have content that would be useful to the statement, please contact ClearCenter. */
'The verify_host_key function in sshconnect.c in the client in OpenSSH 6.6 and earlier allows remote servers to trigger the skipping of SSHFP DNS RR checking by presenting an unacceptable HostCertificate.'
This CVE addresses a compromised server's ability to get the client to skip DNS SSHFP checks when the connecting. It is neither the default or typical role to have SSH open to the outside world on ClearOS. Even so, this has been fixed on ClearOS 6 and later versions with back ported fixes. Because of the minimal security risk that this bug presents it is not planned to be fixed in ClearOS 5.
This issue is addressed in updated versions of ClearOS 6 and ClearOS 7.
For Version 6 and version 7 of ClearOS, this issue has been fixed in openssh-5.3p1-104.el6.
Make sure that your system is up to date by running the following:
You can then validate that you are running openssh-5.3p1-104.el6 or later by running the following from command line:
rpm -qi openssh
You may get an output like this:
Name : openssh Relocations: (not relocatable) Version : 5.3p1 Vendor: ClearFoundation <http://clearfoundation.com> Release : 104.el6_6.1 Build Date: Fri 21 Nov 2014 10:27:07 AM MST Install Date: Mon 16 Feb 2015 04:29:39 PM MST Build Host: build64-6.clearsdn.local Group : Applications/Internet Source RPM: openssh-5.3p1-104.el6_6.1.src.rpm Size : 785568 License: BSD Signature : DSA/SHA1, Fri 21 Nov 2014 10:27:12 AM MST, Key ID 4242d0e05f17cd5a Packager : ClearFoundation <http://clearfoundation.com> URL : http://www.openssh.com/portable.html Summary : An open source implementation of SSH protocol versions 1 and 2 Description : SSH (Secure SHell) is a program for logging into and executing commands on a remote machine. SSH is intended to replace rlogin and rsh, and to provide secure encrypted communications between two untrusted hosts over an insecure network. X11 connections and arbitrary TCP/IP ports can also be forwarded over the secure channel. OpenSSH is OpenBSD's version of the last free version of SSH, bringing it up to date in terms of security and features. This package includes the core files necessary for both the OpenSSH client and server. To make this package useful, you should also install openssh-clients, openssh-server, or both.
To resolve this issue with ClearOS 5, either disable or restrict access to the SSH services or upgrade your system to ClearOS 6. All support for ClearOS Enterprise 5 with subscriptions will end on December 2015. All support for ClearOS Enterprise 5 Community has already ended.