TrustWave PCI Compliance - OpenSSH

Question

First time 'asker' on here, but wanted to say thanks to how much I've used this site and reading answers to questions I've had!

Anyway, lately I've been having issues with a customer of ours who's server is failing the PCI Compliance scan from Trustwave. The problem in particular is with OpenSSH being vulnerable and needing to update to the latest 4.4. However according to the CVE numbers they provided, it looks like the version the server is running has been patched. I could be reading it wrong, but from what I can tell there isn't a problem.

This is what the initial report said:

Port: tcp/xxxx OpenSSH prior to version 4.4 is affected by multiple vulnerabilities that may allow for a remote attacker to execute arbitrary code on the affected device. This finding is based on version information which may not have been updated by previously installed patches (e.g., Red Hat "back ports"). Please submit a "Patched Service" dispute in TrustKeeper if this vulnerability has already been patched. CVE: NVD: Bugtraq: CVSSv2: Service: CVE-2006-5051, CVE-2006-5052 CVE-2006-5051, CVE-2006-5052 20241, 20245 AV:N/AC:M/Au:N/C:C/I:C/A:C ssh Evidence: Match: '4.3' is less than '4.4' Remediation: This issue was fixed in OpenSSH version 4.4. Upgrade to a recent/stable version Patches: http://www.openssh.com/

So we filed a dispute with the following information from our server:

[root@host ~]# rpm -q centos-release centos-release-5-10.el5.centos

[root@host ~]# rpm -qa | grep -i ssh openssh-4.3p2-82.el5 openssh-clients-4.3p2-82.el5 openssh-server-4.3p2-82.el5

And all they responded with was this:

We have denied this dispute based on the information provided. The information provided does not appear to be related to the vulnerability that this finding is regarding.

According to the CVE database links below, aren't we running a patched version of OpenSSH?

https://access.redhat.com/security/cve/CVE-2006-5051

https://access.redhat.com/security/cve/CVE-2006-5052

If not, where am I getting turned around at? Thanks for your time and any input would be greatly appreciated!

EDIT:

I ended up submitting the following, which apparently was good enough for Trustwave to believe me when I told them our releases had been backported.

# rpm -q --changelog openssh-server-4.3p2-82.el5 | grep "CVE-2007-4752" - CVE-2007-4752 - Prevent ssh(1) from using a trusted X11 cookie if creation of an

# rpm -q --changelog openssh-server-4.3p2-82.el5 | grep "CVE-2006-5794" - CVE-2006-5794 - properly detect failed key verify in monitor (#214642)

# rpm -q --changelog openssh-server-4.3p2-82.el5 | grep "CVE-2006-5051" - CVE-2006-5051 - don't call cleanups from signal handler (#208459)

# rpm -q --changelog openssh-server-4.3p2-82.el5 | grep "CVE-2006-5052" - fix an information leak in Kerberos password authentication (CVE-2006-5052)

CVE-2008-1483: This has also been patched in Red Hat/CentOS releases (https://access.redhat.com/security/cve/CVE-2008-1483). To be sure, we have disabled X11 forwarding in SSH as it shouldn't be needed anyway.

Answer 1

Without checking, I'm going to assume that your CentOS RPMs contain backported fixes which address the CVE's listed in their report. (That's how RedHat does it and CentOS is RedHat in this regard). Because of this, your packages are probably immune to issues that their banner would otherwise indicate they're vulnerable to.

What you need to provide Trustwave with is the version you're running (which you've done) but also the evidence that this version contains fixes for the CVE IDs they think you're vulnerable to. If you go to the RedHat CVE database it will tell you which versions include the patches for a given CVE, just collect those links and submit them to Trustwave.