Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 7 subscribers
  • Views 5312 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos UTM 9 to have OpenSSH version and higher

KM Gonzalez

Our Sophos has been detected to have a security issue. Please see the listed threats provided by the Security Compliance Team. They have advised that OpenSSH 7.4 has been released to fix these. Is it possible to have the said OpenSSH Version?

 

Threat1:
Multiple Vulnerabilities have been reported in OpenSSH.
The kbdint_next_device function in auth2-chall.c in sshd in OpenSSH through 6.9 does not properly restrict the processing of keyboard-interactive devices within a single connection. (CVE-2015-5600)
- The monitor component in sshd in OpenSSH before 7.0 on non-OpenBSD platforms accepts extraneous username data in MONITOR_REQ_PAM_INIT_CTX requests. (CVE-2015-6563)
- Use-after-free vulnerability in the mm_answer_pam_free_ctx function in monitor.c in sshd in OpenSSH before 7.0 on non-OpenBSD platforms might allow local users to gain privileges. (CVE-2015-6564)

Threat2:
"OpenSSH (OpenBSD Secure Shell) is a set of computer programs providing encrypted communication sessions over a computer network using the SSH protocol.

Multiple Vulnerabilities have been reported in OpenSSH v7.3 and earlier. These vulnerabilities if exploited will allow code execution, privilege escalation, information disclosure and denial of service attacks."

 

CVE IDS:
CVE-2015-5600, CVE-2015-6563, CVE-2015-6564
CVE-2016-10009, CVE-2016-10010, CVE-2016-10011, CVE-2016-10012, CVE-2016-8858



This thread was automatically locked due to age.
  • 0

    The OpenSSH version in UTM 9.502 is 6.6.1p1.  The developers rarely have the latest versions as it's easier to patch the existing version they know than to vet an entire new version and integrate it.  In order to learn if any of these vulnerabilities apply to the hardened version in the UTM and have not been remediated, you could open a case with Sophos Support.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0

    Security scan results are mixed bag and I would recommend that they viewed as such.

    When you are dependent on a vendor for a product well .. you are dependent on the vendor.  Sadly, there is not much that you can do about in terms of product administration and all you can do is accept the risk and mitigate it as best as you can.  I have seen vendors patch a flaw in a service in some manner and failed to update version code.  As a result the security people freak out when the security scan returns five million alerts.

    That other thing that is annoying about security scans (at the least the ones I am familiar with) is there is no way to flag an alert as a false positive and you keep slogging through the same data over and over just to make sure nothing has been missed.

    *sigh*

    John

  • 0

    I have only worked with TrustWave for PCI scanning.   Once they accept an explanation, it rolls over from one scan to the next.   If your vendor cannot do this, perhaps you should find a different vendor, because this is pretty fundamental to an ongoing relationship with your PCI scan vendor.

    The automated scans only detect the version, not the patch level.   I would like to understand more about how they do this, because I would prefer that neither good guys nor bad guys be able to detect this level of information from an unauthorized internet location.

    To satisfy Trustwave, I just need to get information from the vendor indicating that the patch has been "backported".  Sometimes (usually?) Trustwave will require proof that the backport has been installed.   When this has been necessary, they have told me what file they need.

  • 0 in reply to DouglasFoster

    DouglasFoster said:
    If your vendor cannot do this, perhaps you should find a different vendor, because this is pretty fundamental to an ongoing relationship with your PCI scan vendor.

    We don't have a horse in the PCI vendor race or even a voice.  All we get say on a monthly basis is "Thank you sir may I have another."

    ;)

Unfiltered HTML