[Security] SSH - CVE-2021-41617

Hi,

Here is my config :

cat /etc/redhat-release
Rocky Linux release 9.3 (Blue Onyx)

uname -a
Linux template-rocky-9 5.14.0-362.18.1.el9_3.x86_64 #1 SMP PREEMPT_DYNAMIC Wed Jan 24 23:11:18 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux

rpm -qa |egrep -i openssh
openssh-8.7p1-34.el9.x86_64
openssh-clients-8.7p1-34.el9.x86_64
openssh-server-8.7p1-34.el9.x86_64

cat /etc/crypto-policies/back-ends/opensshserver.config
KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,gss-curve25519-sha256-,diffie-hellman-group16-sha512,gss-group16-sha512-,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256
Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com
HostKeyAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256
RequiredRSASize 3072

CASignatureAlgorithms sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256
GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-group16-sha512-
HostbasedAcceptedAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256
PubkeyAcceptedAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256

After ssh-auditing the ssh server, it detected :

security

(cve) CVE-2021-41617 – (CVSSv2: 7.0) privilege escalation via supplemental groups
(cve) CVE-2016-20012 – (CVSSv2: 5.3) enumerate usernames via challenge response

I searched how/why to fix it but i can find nothing.

Any help would be appreciated.

According to here: cve-details RHEL9 or Rocky 9 in this case is not affected by this CVE. Your scanner probably doesn’t have physical access to the server eg via SSH to be able to actually connect and verify the results. Therefore, your scanner is most likely showing a false-positive. A common occurrence when the scanner isn’t able to verify the system correctly.

Red Hat explains why users and scanners can get false positives in:

1 Like

Thanks for your return.