PCI compliance will fail when the CVE-2015-5352 vulnerability is present. OpenSSH 6.9 fixes this vulnerability, but none of the supported versions of Ubuntu (12.04, 14.04, 15.04 and 15.10) have been patched.
What is the best way to address this vulnerability?
I am experiencing the same issue. While I await a fix from ubuntu I have also decided this is an issue I would address with my CSA; for the following reason.
If I understand the issue presented, the issue only arises if a root user on the affected computer is allowed to forward X11 connections. In my environment, the same root users on the affected computers have access to root on any system reachable from that computer, hence, if they were to conduct malicious activity, this potential vulnerability would neither help nor hinder that user.
Secondly, if the problem depends upon the ability to forward X11 connections, then shouldn't disabling this feature with "ForwardX11Trusted no" and "ForwardX11Timeout 0" be a proper configuration fix? This is my current configuration and as I have no X11 installs, seems to fit.
This is really poor research on the part of whoever added this issue to the PCI compliance scanners. On my scans the problem is described as the following:
Let's break it down:
This vulnerability is one that affects SSH clients, not SSH servers (desc). An SSH client with an X environment is made vulnerable when connecting to a malicious SSH server using X11 forwarding. The scanner is inherently scanning servers not clients... In most cases, X will not even be installed on the remote server and connections will only be made to trusted servers so the scenario that this vulnerability requires is impossible to replicate.
Again, ssh-agent is a client program so this bug does not affect the security of the server being scanned and upgrading to OpenSSH 6.9 would do nothing to prevent this from being exploited unless the server was already compromised and being used to login to other machines using ssh-agent.
Looking at the source code reveals that the code which contains the bug is not even present in OpenSSH 6.6 and the OpenSSH 6.8 bug is therefore not applicable. The patch changes how the
match_pattern_list()method is used but this method does not exist in OpenSSH 6.6.This bug is related only to the 'ssh' client program command line or config file parsing, not the sshd server and therefore has nothing to do with a private system which is running sshd. Additionally, this is listed in the Release Notes as a Bug, and not a Security issue so I doubt that it can do anything more than simply cause a segfault on the client machine if incorrect parameters are used.
So in summary because of all of these client issues you should upgrade your server to OpenSSH 6.9. Considering that most distributions are not yet supporting 6.9 this is absolutely idiotic advice. My advice is to keep running the latest OpenSSH that is supported by your distro using the standard and security repositories with backported fixes that are actually applicable rather than maintaining your own OpenSSH builds just because the PCI scanner said so.
I found this blog article that listed the steps for manually installing OpenSSH 6.7. I followed the instructions, using OpenSSH 6.9 instead.