SOL71960814 - OpenSSH vulnerability CVE-2016-1908

Vulnerability Recommended Actions

If you are running a version listed in the Versions known to be vulnerable column, you can eliminate this vulnerability by upgrading to a version listed in theVersions known to be not vulnerable column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.

F5 responds to vulnerabilities in accordance with the Severity values published in the previous table. TheSeverity values and other security vulnerability parameters are defined in SOL4602: Overview of the F5 security vulnerability response policy.

LineRate

To mitigate this vulnerability, you can modify the sshd_config file to disable X11 forwarding. To do so, perform the following procedure:

Impact of action: This procedure requires you to modify your secure shell (SSH) configuration, and to restart the SSH service. If you do not update the configuration syntax correctly, the SSH service may fail to start. When you restart the SSH service, existing SSH sessions may be terminated. You should not perform this procedure using a remote SSH session; any mistakes may prevent further SSH access to the LineRate system.

1. Log in to the LineRate command line.
2. Switch to the Advanced Shell (bash) by typing the following command:

bash

3. Create a backup of the current sshd_config file by typing the following command:

sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config-SOL71960814.save

4. Using a text editor, such as vi orpico, locate theX11Forwardingoption in the**/etc/ssh/sshd_configfile, and disable the option by setting it tono**:

X11Forwarding no

Note: You must use thesudo command when opening your text editor, or you will not have permission to save your changes.

5. Save your changes and exit the text editor.
6. Test the syntax of your changes by typing the following two commands:
   * sudo /usr/linerate/sbin/sshd -t

If there are no errors, this command should return you to the prompt.

* echo $?

This echo command returns the status code of the last command you typed. The result should be 0 (zero).

Important: If either of these commands return errors, repeat step 4 and confirm that the syntax of the modification is correct. Incorrect configuration syntax may prevent the SSH service from starting.

7. Restart the SSH service by typing the following command:

sudo service sshd restart

Note: Existing SSH sessions may be terminated when you restart the SSH service.

8. Exit bashby typing the following command:

exit

Supplemental Information

• SOL9970: Subscribing to email notifications regarding F5 products
• SOL9957: Creating a custom RSS feed to view new and updated documents
• SOL4602: Overview of the F5 security vulnerability response policy
• SOL4918: Overview of the F5 critical issue hotfix policy
• SOL167: Downloading software and firmware from F5