OpenSSH Xauth Command Injection Vulnerability – Ubuntu 14.04 – PCI Compliance

I’m just going through PCI Compliance for a company that I work for. The security scan picked an apparent vulnerability in the open-ssh server. The vulnerability had been patched in Ubuntu 14.04 and so this is a false positive. I thought that I post put about it because I found lots of posts where people are trying to compile their the latest open-ssh servers to get around this problem – when in fact it isn’t actually a problems. Compiling your own version of the open-ssh server isn’t recommended because you will have to continually patch the package yourself from then on.

The warning text said:

Threat:
OpenSSH (OpenBSD Secure Shell) is a set of computer programs providing encrypted communication sessions over a computer network using the SSH protocol.

The sshd server fails to validate user-supplied X11 authentication credentials when establishing an X11 forwarding session. An authenticated user may inject arbitrary xauth commands by sending an x11 channel request that includes a newline character in the x11 cookie.
Please note that Systems with X11Forwarding enabled are affected.

Affected Versions:
OpenSSH versions prior to 7.2p2
Impact:
An authenticated, remote attacker can exploit this vulnerability to execute arbitrary commands on the targeted system.
Solution:
Users are advised to upgrade to the latest version of the software available. Refer to OpenSSH 7.2p2 Release Notes for further information.

Patch:
Following are links for downloading patches to fix the vulnerabilities:

OpenSSH 7.2p2
Result:
SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.8 detected on port 22 over TCP.

I hope this is helpful to someone.

How Install HP Support Package On Ubuntu 14.04

I need to install HP support package on Ubuntu Trust / 14.04.

Add the following line to:

sudo nano /etc/apt/sources.list.d/hp-proliant-support-pack.list

Add the following line:

deb http://downloads.linux.hpe.com/SDR/downloads/MCP/ubuntu trusty current/non-free

Update the apt-get cache:

sudo apt-get update

You can see the list of packaging in this repository by using this command:

grep ^Package: /var/lib/apt/lists/downloads.linux.hp.com*

Hope this helps someone.

paramiko.SSHException: Incompatible ssh peer (no acceptable kex algorithm) ubuntu 14.04

I was trying to sftp some files using Python Paramiko on Ubuntu 14.04 and got the following error: “paramiko.SSHException: Incompatible ssh peer (no acceptable kex algorithm)”. It turns out that there is an incompatibility issue with OpenSSH 6.7 and Paramiko with a version less than 1.15.1. At the time of writing (November 2014) Ubuntu 14.04 came with 1.10.1.

To fix the issue, you need to upgrade Paramiko to at least 1.15.1. You can do this by using PIP which is a Python package management system. Here is how to you do this:

apt-get install python-pip

Do a quick version check of the Python libs like so:

pip freeze

Which gives the following output:

landscape-Client==14.01
PAM==0.4.2
Twisted-Core==13.2.0
Twisted-Names==13.2.0
Twisted-Web==13.2.0
apt-xapian-index==0.45
argparse==1.2.1
chardet==2.0.1
colorama==0.2.5
configobj==4.7.2
html5lib==0.999
mercurial==2.8.2
paramiko==1.10.1
pyOpenSSL==0.13
pycrypto==2.6.1
pycurl==7.19.3
pyinotify==0.9.4
pyserial==2.6
python-apt==0.9.3.5
python-debian==0.1.21-nmu2ubuntu2
requests==2.2.1
six==1.5.2
ssh-import-id==3.21
urllib3==1.7.1
wsgiref==0.1.2
zope.interface==4.0.5

Then upgrade Paramiko using PIP.

pip install paramiko --upgrade

Voila. Paramiko sftp should now work.

In my case, I actually use Ansible to deploy changes across multiple servers. Ansible comes with a PIP module. You can automatically upgrade Paramiko across all servers like so:

## Python Packages Using PIP 
## We are doing this because we require the latest version of paramiko
- pip: name=paramiko state=latest

How to install MySQL 5.6 on Ubuntu 14.04

Ubuntu 14.04 comes with both MySQL 5.5 and MySQL 5.6 and by default uses MySQL 5.5. However, you can upgrade to MySQL 5.6 by doing the following steps:

Step 1 – Take a backup!

mysqldump -u root --all-databases > /home/me/add_databases.sql

Step 2 – Remove the old MySQL
I recommend using ‘apt-get purge’ rather than ‘apt-get remove’ to uninstall the old MySQL server. Don’t worry, this doesn’t mean all your data in /var/lib/mysql will be deleted. The purge command just removes all the configuration files in /etc/mysql/ . This is important because some old MySQL configurations aren’t supported in 5.6.

If you have an unsupport configuration option (for example: table_cache was renamed table_open_cache) MySQl doesn’t silently ignore these settings… it simply doesn’t start. Oh and it doesn’t show any warnings. So you really should remove any list in /etc/mysqal/conf.d . You can read the list of settings that might have changed.

So…

apt-get purge mysql-server-5.5 mysql-client-5.5
apt-get autoremove

Step 3 – Install the new MySQL 5.6

sudo apt-get install mysql-server-5.6 mysql-client-5.6

And you are done. Hurray.

p.s. For interest, you can see which repository these packages are in from using the ‘apt-cache policy’ command:

sudo apt-cache policy mysql-server

mysql-server:
  Installed: 5.5.38-0ubuntu0.14.04.1
  Candidate: 5.5.38-0ubuntu0.14.04.1
  Version table:
 *** 5.5.38-0ubuntu0.14.04.1 0
        500 http://archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu/ trusty-security/main amd64 Packages
        100 /var/lib/dpkg/status
     5.5.35+dfsg-1ubuntu1 0
        500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages

sudo apt-cache policy mysql-server-5.6

mysql-server-5.6:
  Installed: (none)
  Candidate: 5.6.17-0ubuntu0.14.04.1
  Version table:
     5.6.17-0ubuntu0.14.04.1 0
        500 http://archive.ubuntu.com/ubuntu/ trusty-updates/universe amd64 Packages
        500 http://security.ubuntu.com/ubuntu/ trusty-security/universe amd64 Packages
     5.6.16-1~exp1 0
        500 http://archive.ubuntu.com/ubuntu/ trusty/universe amd64 Packages

Bacula Error shell command: run AfterJob “/etc/bacula/scripts/delete_catalog_backup” Ubuntu 14.40

I have just upgraded from Ubuntu 12.04 to Ubuntu 14.04 on our Bacula backup server. Everything is backing up okay however it’s failing to delete the catalogue backup job after it has run. The error message is:

24-Apr 23:31 bacula-dir JobId 7388: shell command: run AfterJob "/etc/bacula/scripts/delete_catalog_backup"

It turns out that Ubuntu 14.04 updated the backup script /etc/bacula/scripts/delete_catalog_backup but didn’t make is excutable. I could see this by running:

ls -la /etc/bacula/scripts/

and saw:

-rw------- 1 root root   104 Apr 24 20:30 delete_catalog_backup
-rwxr-xr-x 1 root root   112 Sep  8  2012 delete_catalog_backup.ucf-old

To fix this you just need to run the following command:

sudo chmod 755 /etc/bacula/scripts/delete_catalog_backup

This should fix the issue but you can test this my:

sudo bconsole
run job=BackupCatalog"

Let me know if this works for you.

Ubuntu Unity freezes after login when upgraded from Ubuntu 13.10 to 14.04

I just upgraded from Ubuntu 13.10 to Ubuntu 14.04. However, after I had entered the username and password the computer froze. Unity just appears to hang. I fixed this by reinstalling Unity.

Note – this problem might have be caused by the upgrade process. I’m not sure it was related to this error message:

(gtk-update-icon-cache:19911): GdkPixbuf-WARNING **: Cannot open pixbuf loader module file '/usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache': No such file or directory

This likely means that your installation is broken.
Try running the command
  gdk-pixbuf-query-loaders > /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache to make things work again for the time being.

I tried running gdk-pixbuf-query-loaders > /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache but this didn’t seem to fix the problem.

Step 1 – Get into the terminal
You enter the terminal by holding down ctrl-atl and pressing f2. You can actually press any of the f (function) key and you get a new terminal.

Step 2 – Reinstall Unity and the Ubuntu-Desktop

sudo apt-get update
sudo apt-get install --reinstall ubuntu-desktop
sudo apt-get install unity
sudo reboot

Several people had added additional steps that worked for them. So, please read the comments. I considered modifying the original post but there are several variations on the theme.

This post is getting quite a lot of views. Could you please add a comment if this solution worked or didn’t work for you? It would help me improve the post. Thanks.