CentrifyDC 5.3.1-391 failed PCI scan
02-14-2017 01:06 PM
Welcome to the Centrify Express Forums,
We appreciate you bringing this to our attention. Note that Centrify-enhanced OpenSSH is an optional component provided with our suite and customers can upgrade to any newer version of stock SSH at any point.
Can you provide us with the name of the tool and the CVEs referred by your tool and the version of Centrify OpenSSH you're using?
Reference Suite 2016.1 ships with OpenSSH 7.2p2 and there are vulnerabilities that may or may not apply to our version.
Commercial customers with access to the support portal can review the announcements page for any security advisories that affect our software.
Nonetheless, in the next few days we'll be releasing Centrify Server Suite 2017 that will upgrade our ehnanced version of OpenSSH to be based on 7.3p1.
Please provide the requested information and we will follow-up on this post.
Finally, note that you're posting in the Centrify Express forum. If you're a commercial for-profit organization relying on Centrify software for PCI compliance, you should be using our commercial versions (Standard or Enterprise); aside from full functionality, you can get SLA-based (standard or 24x7 support); if you're a commercial customer posting in this forum, please ignore the message.
02-15-2017 12:15 PM
If you're a commercial customer and require immediate assistance, please leverage your benefits and open a ticket with support.
As we stated earlier, Centrify-enhanced OpenSSH is an optional component. You can always uninstall and deploy the latest version of stock SSH.
In addition, if you are a commercial customer, you can also request early access to Suite 2017 that includes a version based on OpenSSH 7.3
Otherwise, if you're an Express user, we've captured the information you provided and we'll give you an assessment on a best-effort basis.
02-23-2017 04:36 AM
Just wanted to let you know that Centrify Express 5.4 is available for download.
The optional enhanced SSH Server package shipped is based on OpenSSH 7.3p1.
From the release notes:
Centrify OpenSSH 5.4.0 is upgraded based on stock OpenSSH 7.3p1. - SSHv1 is no longer supported. (Ref: CS-40924) - The LAM version of Centrify OpenSSH is no longer shipped as all AIX versions
already provide PAM authentication.
If you are still using the LAM version of Centrify OpenSSH, you should replace
it with the corresponding PAM version for supportability. (Ref: CS-40743)
You can download it from here: https://www.centrify.com/express/linux-unix/download/
Please note that some of the CVEs you pointed out from the scan tool are configuration-dependent. For example, for a system to be exposed to CVE-2015-8325 this requires that the directive UseLogin in the OpenSSH config file is set to yes and the pam_env PAM module configured to read user environment settings; this means that the mitigation strategy is to simply set the UseLogin to no (default setting).
For each CVE that you discover, you need to make an assessment of the configuration conditions and find out from your infrastructure lead if that combination is in use.
Finally, as a reminder, if you are a commercial organization leveraging Centrify software and you require conformance to security standards like PCI DSS, consider Centrify Standard Edition. This gives you full capability and customer benefits like business day or 24x7 support and early access to software releases.
Thank you for your patience,