Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 5 subscribers
  • Views 5372 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSH version and vulnerability

dark moon

Hi there.

I just noticed a new Vulnerability here: https://www.exploit-db.com/exploits/40888/

as it states any ssh below 7.3 is affected.  this includes Sophos UTM 9.4

sophos_utm:/ # ssh -v localhost
OpenSSH_6.2p2, OpenSSL 1.0.1k 8 Jan 2015

 Any sign that Sophos is going to update this outdated SSH and SSL?

 



This thread was automatically locked due to age.
  • 0

    I'd imagine it would eventually be patched/upgraded. However, SSH shouldn't be open on the internet and you should close yours if it is. So this vulnerability should only be an issue if you have someone on your network trying to hack port 22 of your UTM

  • 0 in reply to rsenio

    Further you change your default ssh port and only change it to standard if your ssh software can't work with a none standard port.

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0

    Hi,

    I have to check if there is already a request to upgrade the SSH version. You can  suggest this as an idea here.

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0

    I've seen questions like this many times over the years.  In most cases, it's easier for the developers to apply a fix to the version that they already have hardened and certified.  It's a lot of effort to test, harden and vet a new version.  I suspect that this is what's happened here.

    In any case, as others have suggested, you can change the port so that even the Chinese military wouldn't be looking for an SSH server at your IP.  I don't do that because of the following:

    Certainly, you want access to be as limited as possible.  For WebAdmin and Shell Access, I limit the allowed networks to just a few IPs:

    • "my_user_name (Address)" if accessing via Remote Access
    • My office IPs
    • My Home IP and that of the local admin(s)
    • Internal IPs of the local admin(s), not "Internal (Network)"
    • Sophos Support IPs are added when a ticket is opened with them

    If you do this, there is virtually zero exposure even if the devs haven't yet applied a fix.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML