× Welcome to the Centrify Community! Looking for Express & Smart Card Help? Click Here

CentrifyDC 5.3.1-391 failed PCI scan

Showing results for 
Search instead for 
Do you mean 
Reply
Participant II
Posts: 6
Registered: ‎06-09-2016
#1 of 7 701

CentrifyDC 5.3.1-391 failed PCI scan

We are running CentrifyDC 5.3.1-391, the PCI scan failed due to vulnerable OPENSSH version in Centrify.

Centrify Guru I
Posts: 1,693
Registered: ‎07-26-2012
#2 of 7 693

Re: CentrifyDC 5.3.1-391 failed PCI scan

[ Edited ]

@unknown76935,

 

Welcome to the Centrify Express Forums,

 

We appreciate you bringing this to our attention.  Note that Centrify-enhanced OpenSSH is an optional component provided with our suite and customers can upgrade to any newer version of stock SSH at any point.

 

Can you provide us with the name of the tool and the CVEs referred by your tool and the version of Centrify OpenSSH you're using? 

 

Reference Suite 2016.1 ships with OpenSSH 7.2p2 and there are vulnerabilities that may or may not apply to our version.

 

Commercial customers with access to the support portal can review the announcements page for any security advisories that affect our software.

 

Nonetheless, in the next few days we'll be releasing Centrify Server Suite 2017 that will upgrade our ehnanced version of OpenSSH to be based on 7.3p1.

 

Please provide the requested information and we will follow-up on this post.

 

Finally, note that you're posting in the Centrify Express forum.  If you're a commercial for-profit organization relying on Centrify software for PCI compliance, you should be using our commercial versions (Standard or Enterprise);  aside from full functionality, you can get SLA-based (standard or 24x7 support);  if you're a commercial customer posting in this forum, please ignore the message.

 

R.P

Want to learn more about practical Centrify examples? Check out my blog at http://centrifying.blogspot.com
Follow Centrify:
Participant II
Posts: 6
Registered: ‎06-09-2016
#3 of 7 690

Re: CentrifyDC 5.3.1-391 failed PCI scan

Trustwave is the ASV.  The CVEs are:

 

CVE-2015-8325

CVE-2016-10009

CVE-2016-3115

CVE-2016-10010

CVE-2016-6515

 

Participant II
Posts: 6
Registered: ‎06-09-2016
#4 of 7 687

Re: CentrifyDC 5.3.1-391 failed PCI scan

OpenSSH_7.2p2 is the version Centrify is using

Participant II
Posts: 6
Registered: ‎06-09-2016
#5 of 7 651

Re: CentrifyDC 5.3.1-391 failed PCI scan

OpenSSH_7.2p2 is the version Centrify is using

Centrify Guru I
Posts: 1,693
Registered: ‎07-26-2012
#6 of 7 648

Re: CentrifyDC 5.3.1-391 failed PCI scan

If you're a commercial customer and require immediate assistance,  please leverage your benefits and open a ticket with support. 

 

As we stated earlier, Centrify-enhanced OpenSSH is an optional component.  You can always uninstall and deploy the latest version of stock SSH.

 

In addition, if you are a commercial customer, you can also request early access to Suite 2017 that includes a version based on OpenSSH 7.3

 

Otherwise, if you're an Express user,  we've captured the information you provided and we'll give you an assessment on a best-effort basis.

Want to learn more about practical Centrify examples? Check out my blog at http://centrifying.blogspot.com
Follow Centrify:
Centrify Guru I
Posts: 1,693
Registered: ‎07-26-2012
#7 of 7 573

Re: CentrifyDC 5.3.1-391 failed PCI scan

@unknown76935,

.

Just wanted to let you know that Centrify Express 5.4 is available for download.

The optional enhanced SSH Server package shipped is based on OpenSSH 7.3p1.

 

From the release notes:

 Centrify OpenSSH 5.4.0 is upgraded based on stock OpenSSH 7.3p1.

- SSHv1 is no longer supported. (Ref: CS-40924)
- The LAM version of Centrify OpenSSH is no longer shipped as all AIX versions 
already provide PAM authentication.
If you are still using the LAM version of Centrify OpenSSH, you should replace
it with the corresponding PAM version for supportability. (Ref: CS-40743)

You can download it from here:  https://www.centrify.com/express/linux-unix/download/

 

Please note that some of the CVEs you pointed out from the scan tool are configuration-dependent.  For example, for a system to be exposed to CVE-2015-8325 this requires that the directive UseLogin in the OpenSSH config file is set to yes and the pam_env PAM module configured to read user environment settings; this means that the mitigation strategy is to simply set the UseLogin to no (default setting).

 

For each CVE that you discover, you need to make an assessment of the configuration conditions and find out from your infrastructure lead if that combination is in use. 

 

Finally, as a reminder, if you are a commercial organization leveraging Centrify software and you require conformance to security standards like PCI DSS, consider Centrify Standard Edition.  This gives you full capability and customer benefits like business day or 24x7 support and early access to software releases.

 

Thank you for your patience,

 

R.P

Want to learn more about practical Centrify examples? Check out my blog at http://centrifying.blogspot.com
Follow Centrify: