Topic: Hackers announcing Hacking weekend

[Henrik]

Wanne test the security on your SME server? Qualys offers free security check because of the announced hacking attemps comming this weekend : https://freescan.qualys.com/

I got 4 critical, 3 serious, 2 Medium and 1 minimum security vulnabilities running V5.6U4

/Henrik

[Gordon Rowell]

Henrik wrote:
>
> Wanne test the security on your SME server? Qualys offers
> free security check because of the announced hacking attemps
> comming this weekend : https://freescan.qualys.com/
>
> I got 4 critical, 3 serious, 2 Medium and 1 minimum security
> vulnabilities running V5.6U4

Please report all security concerns to smesecurity@mitel.com

Thanks,

Gordon

[Gonzalo]

Hi again

I’m worry about the information in this thread
because it could expose my server and others servers
I work to suffer an attack.

I used GFI LANguard Network Security Scanner v(3.2)
from www.gfi.com to scan one of my servers and I found it
has a vulnerability in OpenSSH. The version of my server
is 5.6U4 and the version the of OpenSSH is
openssh-3.1p1-6.

How could I reduce the risk of an attack?
Is there a way to update the version of sshd inside my
SME box without have to update everything?

Thanks in advance

Gonzalo

[Cyrus Bharda]

Gonzalo,

Did you even read Gordon's post?

Have you reported your findings to smesecurity@mitel.com ?

Usually they can answer your questions in this area.

Cyrus Bharda

[Gordon Rowell]

Henrik wrote:
>
> Wanne test the security on your SME server? Qualys offers
> free security check because of the announced hacking attemps
> comming this weekend : https://freescan.qualys.com/
> [...]

We have now had multiple people run this scan and report the same results to smesecurity@mitel.com

Mitel Networks does not class any of the the issues reported by this security scan tool as either critical or serious. We will continue to watch and investigate these issues and make patches available if and when we deem this necessary.

For the record, the issues fall into the following categories:

- Issues which have already been addressed by the versions of openssl, openssh and other packages installed on the server.
- Issues related to self-signed SSL certificates. The self-signed certificate is only generated for convenience and provides encryption, but does *not* provide a guaranteed level of trust. It is possible to install a valid, properly signed certificate if you have purchased one.
- A particular issue with the Apache configuration which is not in itself a vulnerability.
- Response to the ident protocol with information that is in no way sensitive. Unfortunately, some mail servers require this response.

Also, some of the reports have included reports of vulnerabilities in packages which are not provided as part of the SME Server install. We can, of course, make no statement about the security of such installed packages.

As always, please report security concerns to smesecurity@mitel.com, and only there.

Thanks,

Gordon

[Charlie Brady]

Gonzalo wrote:

> I used GFI LANguard Network Security Scanner v(3.2)
> from www.gfi.com to scan one of my servers and I found it
> has a vulnerability in OpenSSH.

It almost certainly doesn't. It has a version of openssh which *in its unpatched state* has a vulnerability. But RedHat apply security patches as vulnerabilities are discovered. Many security scanners depend solely on version numbers to detect "vulnerabilities", and as a result falsely report problems with packages which have already been appropriately patched.

Please send details of the reported "vulnerability" to smesecurity@mitel.com so that we can verify the details.

Regards

Charlie

[Mike]

We got same thing happen, even in my other box which is Mandrake Linux. The vulnerabilities appeared in openssl, openssh, apache and in certificates. ??!????!? Don't know why....