Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 6 subscribers
  • Views 5061 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos UTM 9 to have OpenSSH version and higher

KM Gonzalez

Our Sophos has been detected to have a security issue. Please see the listed threats provided by the Security Compliance Team. They have advised that OpenSSH 7.4 has been released to fix these. Is it possible to have the said OpenSSH Version?

 

Threat1:
Multiple Vulnerabilities have been reported in OpenSSH.
The kbdint_next_device function in auth2-chall.c in sshd in OpenSSH through 6.9 does not properly restrict the processing of keyboard-interactive devices within a single connection. (CVE-2015-5600)
- The monitor component in sshd in OpenSSH before 7.0 on non-OpenBSD platforms accepts extraneous username data in MONITOR_REQ_PAM_INIT_CTX requests. (CVE-2015-6563)
- Use-after-free vulnerability in the mm_answer_pam_free_ctx function in monitor.c in sshd in OpenSSH before 7.0 on non-OpenBSD platforms might allow local users to gain privileges. (CVE-2015-6564)

Threat2:
"OpenSSH (OpenBSD Secure Shell) is a set of computer programs providing encrypted communication sessions over a computer network using the SSH protocol.

Multiple Vulnerabilities have been reported in OpenSSH v7.3 and earlier. These vulnerabilities if exploited will allow code execution, privilege escalation, information disclosure and denial of service attacks."

 

CVE IDS:
CVE-2015-5600, CVE-2015-6563, CVE-2015-6564
CVE-2016-10009, CVE-2016-10010, CVE-2016-10011, CVE-2016-10012, CVE-2016-8858



This thread was automatically locked due to age.
Parents
  • 0

    I have only worked with TrustWave for PCI scanning.   Once they accept an explanation, it rolls over from one scan to the next.   If your vendor cannot do this, perhaps you should find a different vendor, because this is pretty fundamental to an ongoing relationship with your PCI scan vendor.

    The automated scans only detect the version, not the patch level.   I would like to understand more about how they do this, because I would prefer that neither good guys nor bad guys be able to detect this level of information from an unauthorized internet location.

    To satisfy Trustwave, I just need to get information from the vendor indicating that the patch has been "backported".  Sometimes (usually?) Trustwave will require proof that the backport has been installed.   When this has been necessary, they have told me what file they need.

Reply
  • 0

    I have only worked with TrustWave for PCI scanning.   Once they accept an explanation, it rolls over from one scan to the next.   If your vendor cannot do this, perhaps you should find a different vendor, because this is pretty fundamental to an ongoing relationship with your PCI scan vendor.

    The automated scans only detect the version, not the patch level.   I would like to understand more about how they do this, because I would prefer that neither good guys nor bad guys be able to detect this level of information from an unauthorized internet location.

    To satisfy Trustwave, I just need to get information from the vendor indicating that the patch has been "backported".  Sometimes (usually?) Trustwave will require proof that the backport has been installed.   When this has been necessary, they have told me what file they need.

Children
  • 0 in reply to DouglasFoster

    DouglasFoster said:
    If your vendor cannot do this, perhaps you should find a different vendor, because this is pretty fundamental to an ongoing relationship with your PCI scan vendor.

    We don't have a horse in the PCI vendor race or even a voice.  All we get say on a monthly basis is "Thank you sir may I have another."

    ;)

Unfiltered HTML