OpenSSH Wildcards on AcceptEnv Vulnerability

Discussion in 'Linux Networking' started by wb4lai, Oct 8, 2015.

  1. wb4lai

    wb4lai Guest

    My network security people say they are getting an OpenSSH Wildcards on AcceptEnv Vulnerability when using Trustwave to scan IP address open to the public. I have done an Update and Upgrade successfully, but the vulnerbility is still being detected.

    The event log shows the following pertinent information:

    Event Log: Server version: SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2

    I believe this is a Wheezy Debian.

    According to online info, Debian claims to have fixed this problem in the above version.

    Any ideas?
    wb4lai, Oct 8, 2015
    1. Advertisements

  2. If it’s wheezy then have a look in
    /usr/share/doc/openssh-server/changelog.Debian.gz - you should find:

    openssh (1:6.0p1-4+deb7u1) stable-security; urgency=high

    * CVE-2014-2532: Disallow invalid characters in environment variable names
    to prevent bypassing AcceptEnv wildcard restrictions.
    * CVE-2014-2653: Attempt SSHFP lookup even if server presents a
    certificate (closes: #742513).

    -- Colin Watson <> Thu, 03 Apr 2014 00:05:17 +0100
    Richard Kettlewell, Oct 8, 2015
    1. Advertisements

  3. wb4lai

    wb4lai Guest

    So I am very new to Linux. I am going to assume I use the "less" command to read the changelog.depbian.gz file. Then use zgrep -i CVE-2014-2532, if I find a CVE, to see if it has a fix installed?
    wb4lai, Oct 13, 2015
  4. You can do that if you're paranoid (not a bad thing nowadays), but just
    looking at the version number tells you that you indeed have a fixed
    Ian Zimmerman, Oct 14, 2015
  5. wb4lai

    wb4lai Guest

    I use zrep -i and I found no reference to a fix of cve-2014-2532. It just brought back the description of cve-2014-2532.

    When I did a zrep -i cve, I received several CVE descriptions and the following line: Fill in CVE idnetifier for ssh-vulnerbility fixed in 1:4.7p1-10. I don't know if this has anything to do with cve-2014-2532 nor whether cve-2014-2532 is fixed or not.

    Opinions welcome!
    Bill White
    wb4lai, Oct 20, 2015
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.