'The verify_host_key function in sshconnect.c in the client in OpenSSH 6.6 and earlier allows remote servers to trigger the skipping of SSHFP DNS RR checking by presenting an unacceptable HostCertificate.'
This CVE addresses a compromised server's ability to get the client to skip DNS SSHFP checks when the connecting. It is neither the default or typical role to have SSH open to the outside world on ClearOS. Even so, this has been fixed on ClearOS 6 and later versions with back ported fixes. Because of the minimal security risk that this bug presents it is not planned to be fixed in ClearOS 5.
This issue is addressed in updated versions of ClearOS 6 and ClearOS 7.
For Version 6 and version 7 of ClearOS, this issue has been fixed in openssh-5.3p1-104.el6.
ClearOS 6 and ClearOS 7
Make sure that your system is up to date by running the following:
You can then validate that you are running openssh-5.3p1-104.el6 or later by running the following from command line:
rpm -qi openssh
You may get an output like this:
Name : openssh Relocations: (not relocatable)
Version : 5.3p1 Vendor: ClearFoundation
Release : 104.el6_6.1 Build Date: Fri 21 Nov 2014 10:27:07 AM MST
Install Date: Mon 16 Feb 2015 04:29:39 PM MST Build Host: build64-6.clearsdn.local
Group : Applications/Internet Source RPM: openssh-5.3p1-104.el6_6.1.src.rpm
Size : 785568 License: BSD
Signature : DSA/SHA1, Fri 21 Nov 2014 10:27:12 AM MST, Key ID 4242d0e05f17cd5a
Packager : ClearFoundation
URL : http://www.openssh.com/portable.html
Summary : An open source implementation of SSH protocol versions 1 and 2
SSH (Secure SHell) is a program for logging into and executing
commands on a remote machine. SSH is intended to replace rlogin and
rsh, and to provide secure encrypted communications between two
untrusted hosts over an insecure network. X11 connections and
arbitrary TCP/IP ports can also be forwarded over the secure channel.
OpenSSH is OpenBSD's version of the last free version of SSH, bringing
it up to date in terms of security and features.
This package includes the core files necessary for both the OpenSSH
client and server. To make this package useful, you should also
install openssh-clients, openssh-server, or both.
If you are being tested under penetration testing (pen test), please note that these tests inquire about version numbers of services and NOT patch levels. Moreover, these tests do NOT try the exploit to validate their conclusions…EVER!!! Since ClearOS backports fixes into existing version numbers for stability and compatibility reasons, your pen test may show this to be a flaw when it is not a flaw at all.
To resolve this issue with ClearOS 5, either disable or restrict access to the SSH services or upgrade your system to ClearOS 6. All support for ClearOS Enterprise 5 with subscriptions will end on December 2015. All support for ClearOS Enterprise 5 Community has already ended.