Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Sophos Firewall

Discussions Critical OpenSSH Vulnerability (CVE-2024-6387)

Sophos Firewall requires membership for participation - click to join

Thread Info

State Verified Answer
+1 person also asked this people also asked this
Replies 6 replies
Subscribers 42 subscribers
Views 1147 views
Users 0 members are here

Options

Suggested

Critical OpenSSH Vulnerability (CVE-2024-6387)

Fred12 4 days ago

Hello,

please provide information about XG(S) firewalls are affected somehow?

https://www.sophos.com/en-us/security-advisories does not provide anything about it.

Thanks,
Fred12

Added TAGs
[edited by: Raphael Alganes at 7:35 AM (GMT -7) on 2 Jul 2024]

Top Replies

Vivek Jagad 4 days ago +1 verified

Hi Fred12 , Thank you for reaching out to the community, openssh server on SFOS is not affected.

Parents

0 Vivek Jagad 4 days ago

Hi Fred12 ,

Thank you for reaching out to the community, openssh server on SFOS is not affected.

Thanks & Regards,
_______________________________________________________________

Vivek Jagad | Team Lead, Global Support & Services

Log a Support Case | Sophos Service Guide
Best Practices – Support Case

Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up +1 Vote Down

Sign in to reply

Reject Answer

Cancel
0 Noct3 2 days ago in reply to Vivek Jagad
Hello,

Running the "sshd -v" command while connected to a firewall running SFOS v20 outputs this:

XGS126_XN02_SFOS 20.0.0 GA-Build222# sshd -v
2024-07-04 12:14:51Z unknown option -- v
OpenSSH , OpenSSL 1.1.1q 5 Jul 2022
usage: sshd [-46DdeiqTt] [-C connection_spec] [-c host_cert_file]
[-E log_file] [-f config_file] [-g login_grace_time]
[-h host_key_file] [-o option] [-p port] [-u len]
XGS126_XN02_SFOS 20.0.0 GA-Build222#

Now I know that 1.1.1q is the version of OpenSSL but still, it was released back in 2022. It wouldn't be to far fetched to assume that OpenSSH also is running a version from 2022?

Assuming that the build of OpenSSH used in SFOS is vanilla and since all version since 2020 are vulnerable, that would make SFOS's OpenSSH version also vulnerable wouldn't it?

Thank you
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Reply

0 Noct3 2 days ago in reply to Vivek Jagad
Hello,

Running the "sshd -v" command while connected to a firewall running SFOS v20 outputs this:

XGS126_XN02_SFOS 20.0.0 GA-Build222# sshd -v
2024-07-04 12:14:51Z unknown option -- v
OpenSSH , OpenSSL 1.1.1q 5 Jul 2022
usage: sshd [-46DdeiqTt] [-C connection_spec] [-c host_cert_file]
[-E log_file] [-f config_file] [-g login_grace_time]
[-h host_key_file] [-o option] [-p port] [-u len]
XGS126_XN02_SFOS 20.0.0 GA-Build222#

Now I know that 1.1.1q is the version of OpenSSL but still, it was released back in 2022. It wouldn't be to far fetched to assume that OpenSSH also is running a version from 2022?

Assuming that the build of OpenSSH used in SFOS is vanilla and since all version since 2020 are vulnerable, that would make SFOS's OpenSSH version also vulnerable wouldn't it?

Thank you
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Children

+1 Noct3 2 days ago in reply to Noct3

Nevermind, an advisory was posted today stating that Sophos products are not affected.

Advisory: Unauthenticated Remove Code Execution Vulnerability in OpenSSH (CVE-2024-6387) | Sophos
Cancel
Vote Up +1 Vote Down

Sign in to reply

Reject Answer

Cancel
0 Francisco Fiol Mas 2 days ago in reply to Noct3

Hello,

Great, thank you very much for the info.

Best regards
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel