Article ID: 6576, created on Aug 5, 2009, last review on May 11, 2014

  • Applies to:
  • H-Sphere

Symptoms

Parallels H-Sphere Control Panel can not pass PCI (payment card industry) scan because off the following Security warning found on  port/service "ssh (22/tcp)":
"OpenSSH X11 Session Hijacking Vulnerability"

Resolution

Official Statement from Red Hat (03/27/2008)
     Versions of openssh packages as shipped with Red Hat Enterprise Linux 4, and 5 were not vulnerable to this issue as it was mitigated as a side effect of another change.

Red Hat Enterprise Linux 2.1 and 3 are affected by this issue. The Red Hat Security Response Team has rated this issue as having low security impact.

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2008-1483

The bugzilla.redhat.com says that:
"This issue is only exploitable on systems with IPv6 enabled, which is not by default on Red Hat Enterprise Linux 2.1 and 3.  Therefore it was rated as having low security impact on those Red Hat Enterprise Linux versions.  Issue  if fixed in Red Hat Enterprise Linux 4 and 5."

Since Parallels H-Spher du not supports IPv6 for RHEL 3, these  distribution is not affected in our case.

The additional fix is to disable X11 forwarding and GSSAPI authentication in sshd_config. The changes should looks like:

# diff /etc/ssh/sshd_config.orig /etc/ssh/sshd_config
74c74
< GSSAPIAuthentication yes
---
 > GSSAPIAuthentication no
76c76
< GSSAPICleanupCredentials yes
---
 > GSSAPICleanupCredentials no
96c96
< X11Forwarding yes
---
 > X11Forwarding no

After that, restart ssh server:
# /etc/init.d/sshd restart

f213b9fa8759d57bee5d547445806fe7 6311ae17c1ee52b36e68aaf4ad066387

Email subscription for changes to this article
Save as PDF