Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 6 subscribers
  • Views 5060 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos UTM 9 to have OpenSSH version and higher

KM Gonzalez

Our Sophos has been detected to have a security issue. Please see the listed threats provided by the Security Compliance Team. They have advised that OpenSSH 7.4 has been released to fix these. Is it possible to have the said OpenSSH Version?

 

Threat1:
Multiple Vulnerabilities have been reported in OpenSSH.
The kbdint_next_device function in auth2-chall.c in sshd in OpenSSH through 6.9 does not properly restrict the processing of keyboard-interactive devices within a single connection. (CVE-2015-5600)
- The monitor component in sshd in OpenSSH before 7.0 on non-OpenBSD platforms accepts extraneous username data in MONITOR_REQ_PAM_INIT_CTX requests. (CVE-2015-6563)
- Use-after-free vulnerability in the mm_answer_pam_free_ctx function in monitor.c in sshd in OpenSSH before 7.0 on non-OpenBSD platforms might allow local users to gain privileges. (CVE-2015-6564)

Threat2:
"OpenSSH (OpenBSD Secure Shell) is a set of computer programs providing encrypted communication sessions over a computer network using the SSH protocol.

Multiple Vulnerabilities have been reported in OpenSSH v7.3 and earlier. These vulnerabilities if exploited will allow code execution, privilege escalation, information disclosure and denial of service attacks."

 

CVE IDS:
CVE-2015-5600, CVE-2015-6563, CVE-2015-6564
CVE-2016-10009, CVE-2016-10010, CVE-2016-10011, CVE-2016-10012, CVE-2016-8858



This thread was automatically locked due to age.
Parents
  • 0

    Security scan results are mixed bag and I would recommend that they viewed as such.

    When you are dependent on a vendor for a product well .. you are dependent on the vendor.  Sadly, there is not much that you can do about in terms of product administration and all you can do is accept the risk and mitigate it as best as you can.  I have seen vendors patch a flaw in a service in some manner and failed to update version code.  As a result the security people freak out when the security scan returns five million alerts.

    That other thing that is annoying about security scans (at the least the ones I am familiar with) is there is no way to flag an alert as a false positive and you keep slogging through the same data over and over just to make sure nothing has been missed.

    *sigh*

    John

Reply
  • 0

    Security scan results are mixed bag and I would recommend that they viewed as such.

    When you are dependent on a vendor for a product well .. you are dependent on the vendor.  Sadly, there is not much that you can do about in terms of product administration and all you can do is accept the risk and mitigate it as best as you can.  I have seen vendors patch a flaw in a service in some manner and failed to update version code.  As a result the security people freak out when the security scan returns five million alerts.

    That other thing that is annoying about security scans (at the least the ones I am familiar with) is there is no way to flag an alert as a false positive and you keep slogging through the same data over and over just to make sure nothing has been missed.

    *sigh*

    John

Children
No Data
Unfiltered HTML