Was wondering which version off openssh was installed with astaro 4.008 and how it was implemented considering the following issue listed with SANS
*******************************
Widely Deployed Software
*******************************
OpenSSH Client Address Restriction Bypass
Affected Products:
OpenSSH version 3.6.1 and prior (all available versions)
Description:
OpenSSH allows administrators to limit the set of IP addresses that are permitted to connect to the SSH server. A vulnerability has been discovered that allows attackers to bypass OpenSSH's IP-based access controls and initiate an SSH connection from any remote address. To exploit the flaw, an attacker must be able to control the reverse DNS information for the attacking host -- the trick is to provide the IP address of an allowed host as part of the reverse DNS hostname string.
Risk: An IP address that should be denied access to the SSH server will be allowed to initiate a connection.
Deployment: Significant.
This vulnerability affects all installations of OpenSSH that utilize the IP-based access control feature.
Ease of Exploitation: Straightforward.
A challenge arises in that the attacker must be able to control the reverse DNS information for the attacking host. Further, if the target server has "VerifyReverseMapping" enabled, the attacker must control both the reverse and forward DNS information for the connecting client.
Status: Vendor confirmed. The OpenSSH developers recommend implementing IP address-based filtering at the network perimeter to limit exposure to attacks from the Internet. Further, enabling "VerifyReverseMapping" (a server configuration setting that requires a client's forward and reverse DNS information to match) makes exploitation more difficult.
This thread was automatically locked due to age.
