Network Management

We are currently running Airwave 7.4.5. Our Information Security department completed a vulnerability scan of the server and had several findings that they have asked me to address. One of the most concerning issues was a vulnerability with OpenSSH 4.3. Specifically "OpenSSH X11 Cookie Local Authentication Bypass Vulnerability". Apparently this was vulnerability was resolved in version 4.7. Can anyone confirm if the newest version of Airwave updates OpenSSH? If not, can SSH be disabled completed?

Also, there was a vulnerability in OpenSSH X11UseLocalhost configuration. This is already resolved in OpenSSH version 5.1

Second, a weak cryptographic key. They have suggested that we generate a longer key and recreate the certificate. Can this be done?

I appreciate the input. Thanks

I don't currently have an AMP 7.4.5 running, but here's the ouput from AMP 7.5.5:

# rpm -qa | grep -i openssl
perl-Crypt-OpenSSL-RSA-0.25-10.1.el6.x86_64
openssl098e-0.9.8e-17.el6.centos.2.x86_64
perl-Crypt-OpenSSL-Random-0.04-9.1.el6.x86_64
perl-Crypt-OpenSSL-Bignum-0.04-8.1.el6.x86_64
openssl-1.0.0-20.el6_2.5.x86_64

It may be easier for you to upgrade to the latest version and have your security group run their vulnerability scan again.

For certs, you can try following the methods documented in: kb.airwave.com (search keyword: cert).

If you have any difficulties, I believe support has received similar inquiries and might have a quick answer.

Thanks, Rob. I'm definitely planning on upgrading to the newest version. Hopefully that will take care of these issues. I'm still not sure about OpenSSH version though. Shouldn't someone from Aruba be able to confirm what version is in use with the newest version of Airwave?

# rpm -qa | grep -i openssh
openssh-clients-5.3p1-81.el6.x86_64
openssh-5.3p1-81.el6.x86_64
openssh-server-5.3p1-81.el6.x86_64
aw-perl-Net-OpenSSH-0.53_02-1.noarch

Per OpenSSH, OpenSSH 5.1 or newer are not vulnerable to the X11UseLocalhost issue.  AMP 7.5.5 has OpenSSH 5.3.

I updated to 7.5.5 earlier today and here is what I'm seeing? Am I missing somethign?

============================================

[root@mg-airwave mercury]# rpm -qa | grep -i openssh
openssh-server-4.3p2-41.el5.x86_64
openssh-clients-4.3p2-41.el5.x86_64
aw-perl-Net-OpenSSH-0.53_02-1.noarch
openssh-4.3p2-41.el5.x86_64

============================================

Here is mine...

[root@aw-1 mercury]# rpm -qa | grep -i openssh
openssh-clients-5.3p1-70.el6.x86_64
aw-perl-Net-OpenSSH-0.53_02-1.noarch
openssh-5.3p1-70.el6.x86_64
openssh-server-5.3p1-70.el6.x86_64

Odd that yours is not like that

Looks like not all of your packages aren't getting upgraded.  Do you have the default install with CentOS?  Please send the output of:

# cat /etc/redhat-release

# cat /var/log/AMP-upgrade-version-history.log

We'll try to replicate the same in our lab.

I'm betting that this is the difference between running an older version of the OS, CentOS 5.5, as opposed to the newer Airwave install on CentOS 6.2.

I'm currently running CentOS 5.5 with the same output as you:

rpm -qa | grep -i openssh
openssh-server-4.3p2-41.el5.x86_64
openssh-clients-4.3p2-41.el5.x86_64
aw-perl-Net-OpenSSH-0.53_02-1.noarch
openssh-4.3p2-41.el5.x86_64

You'll need to install the latest version of Airwave with CentOS 6.2 and migrate your DB.

If you're really concerned about it, just edit your IPTables to only allow local traffic to access your server.  You can still download updates this way and it protects your server from outside snooping.

Looks like you're right about the CenOS. I did the upgrade to 7.5.5. I don't recall reading anything about upgrading CentOS. Is there a document that explains all of this? What other reason would one have to upgrade CentOS?

===========================================================

[root@mg-airwave mercury]# cat /etc/redhat-release
CentOS release 5.5 (Final)

[root@mg-airwave mercury]# cat /var/log/AMP-upgrade-version-history.log
cat: /var/log/AMP-upgrade-version-history.log: No such file or directory
===========================================================

The upgrade to CentOS 6.x was done for the newer packages that are pre-bundled into the OS. AirWave is typically mirrored to the latest CentOS available.  Some of the packaged helped increase performance, others address security issues.

Looks like your upgrade file isn't in the same location.  Do you recall the path of upgrades you took?  If not, try:

# locate AMP-upgrade-version-history.log

There doesn't seem to be a knowledge base article for the CentOS 6.2 upgrade, but it's similar to the CentOS4 to 5 upgrade process.  You upgrade to the latest version, take a backup of your AMP, pull the backup off server, reinstall with the latest ISO, then copy back the backup, and restore it.  Support can help guide you through this process if you have any problems.  The key is to make sure you grab a backup from /var/airwave-backup.

I'm not sure that the upgrade history is all that useful.

I installed 7.4.8 and restored DB from backup.

My history shows upgrade from 7.3.5 in steps all the way to current.

That's correct, but doesn't speak to the OS version -- which I see is still CentOS5.5 so I'm going to have to re-install again.

--Matthew

Unfortunately, a lot of security scanners simply do a dumb scan for a version string they think is vulnerable. In RHEL (centos), a lot of security fixes will get backported to an older version, though the version string will look the same to the scanner. Looking more closely at the reported errors:

---

@Clayman wrote:

Specifically "OpenSSH X11 Cookie Local Authentication Bypass Vulnerability".

 

Also, there was a vulnerability in OpenSSH X11UseLocalhost configuration.

---

The former seems to correspond to CVE-2007-4752 and the latter to CVE-2008-3259.

According to Redhat, the second is a non-issue: "This issue did not affect the versions of openssh as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5."

As for the first, there was an errata (RHSA-2008:0855-6) to fix the problem on an earlier update (openssh-4.3p2-26.el5_2.1) than what is currently running on your server (openssh-4.3p2-41.el5). Looking at the changelog for the rpm on an AMP here:

# rpm -q openssh --changelog |  grep -C 1 CVE-2007-4752
* Fri Aug 15 2008 Dennis Gregorovic <dgregor@redhat.com> - 4.3p2-26.el5_2.1
- CVE-2007-4752 - Prevent ssh(1) from using a trusted X11 cookie if creation of an
  untrusted cookie fails (#280361)

Just to confirm that my AMP matches yours:

# rpm -qa | grep openssh
openssh-server-4.3p2-41.el5.x86_64
openssh-clients-4.3p2-41.el5.x86_64
openssh-4.3p2-41.el5.x86_64