7

I am using OpenSSH version 7.4p1, in CVE database I found that cpe:/a:openbsd:openssh:7.4:p1 is vulnerable to CVE-2017-15906 https://www.cvedetails.com/cve/CVE-2017-15906/.

Does this mean that for sure my version is affected or is it possible that this version has the same number but is already patched? How can I verify this?

muru
  • 69,900
  • 13
  • 192
  • 292
user187205
  • 171
  • 1
  • 2

4 Answers4

11

CentOS is just rebuilt RHEL so your system is safe, if you updated to openssh-7.4p1-16.el7 or similar that is shipped in CentOS 7.

There is CVE database in Red Hat access portal:

https://access.redhat.com/security/cve/cve-2017-15906

With links to the erratas fixing the issues and with listing of packages fixing the specific issue:

https://access.redhat.com/errata/RHSA-2018:0980

Similarly you can get the changelog of your installed package and it should list something related to this CVE number.

Discaimer: I was fixing that package in this RHEL version.

Jakuje
  • 20,974
  • 7
  • 51
  • 70
7

Got fixed in 7.4p1-16, way back in November 2017.

$ rpm -q openssh-server
openssh-server-7.4p1-16.el7.x86_64
$ rpm -q --changelog openssh-server | grep CVE-2017-15906
- Fix for CVE-2017-15906 (#1517226)
$ rpm -q --changelog openssh-server | head
* Fri Nov 24 2017 Jakub Jelen <[email protected]> - 7.4p1-16 + 0.10.3-2
- Fix for CVE-2017-15906 (#1517226)

* Mon Nov 06 2017 Jakub Jelen <[email protected]> - 7.4p1-15 + 0.10.3-2
- Do not hang if SSH AuthorizedKeysCommand output is too large (#1496467)
- Do not segfault pam_ssh_agent_auth if keyfile is missing (#1494268)
- Do not segfault in audit code during cleanup (#1488083)
- Add WinSCP 5.10+ compatibility (#1496808)
- Clatch between ClientAlive and rekeying timeouts (#1480510)
- Exclude dsa and ed25519 from default proposed keys in FIPS mode (#1456853)
$
steve
  • 21,582
  • 5
  • 48
  • 75
  • 1
    handy tip - `grep -A20` for "twenty lines `A`fter a match" (and its friends, `-B`efore and `-C`ontext) – Riking Jul 04 '18 at 06:11
2

OpenSSH 7.4p1 is affected by CVE-2017-15906.

... unless the distributor of that OpenSSH package has patched it.

An example of a distributor patching this particular CVE in an affected OpenSSH package may be found in this changelog entry for 7.5p1 on Ubuntu (they have not distributed a patched 7.4p1 as far as I could see after only a brief look): 

openssh (1:7.5p1-10ubuntu0.1) artful-security; urgency=medium
  * SECURITY UPDATE: DoS via zero-length file creation in readonly mode
    - debian/patches/CVE-2017-15906.patch: disallow creation of empty files
      in sftp-server.c.
    - CVE-2017-15906

 -- Marc Deslauriers <[email protected]>  Tue, 16 Jan 2018 08:28:47 -0500

Similarly for Fedora (7.4p1).

Unfortunately, CentOS does not seem to have an easily accessible database of package updates (that I could find).

Kusalananda
  • 320,670
  • 36
  • 633
  • 936
1

According to the bugzilla the security bug is fixed on the 7.6 version for the system based on RHEL 7:

Fixed In Version: openssh 7.6

The description on RHEL CVE-2017-15906

The process_open function in sftp-server.c in OpenSSH before 7.6 does not properly prevent write operations in readonly mode, which allows attackers to create zero-length files.

Also this information is available on the openssh 7.6 release note

Changes since OpenSSH 7.5

Security

  • sftp-server(8): in read-only mode, sftp-server was incorrectly permitting creation of zero-length files. Reported by Michal Zalewski.

The bug is fixed on 10 Apr 2018 for the openssh-7.4p1 : openssh security, bug fix, and enhancement update

GAD3R
  • 63,407
  • 31
  • 131
  • 192
  • 1
    probably there is a bad first link? Anyway, there is no openssh 7.6 in RHEL/CentOS – Jakuje Jul 03 '18 at 21:04
  • 2
    But this still does not answer the question, if the version 7.4 in centos is vulnerable or not. I will not let you wait any longer. Just see my answer that will reveal that secret for you :) – Jakuje Jul 03 '18 at 21:08