Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 5 subscribers
  • Views 5373 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSH version and vulnerability

dark moon

Hi there.

I just noticed a new Vulnerability here: https://www.exploit-db.com/exploits/40888/

as it states any ssh below 7.3 is affected.  this includes Sophos UTM 9.4

sophos_utm:/ # ssh -v localhost
OpenSSH_6.2p2, OpenSSL 1.0.1k 8 Jan 2015

 Any sign that Sophos is going to update this outdated SSH and SSL?

 



This thread was automatically locked due to age.
Parents
  • 0

    I've seen questions like this many times over the years.  In most cases, it's easier for the developers to apply a fix to the version that they already have hardened and certified.  It's a lot of effort to test, harden and vet a new version.  I suspect that this is what's happened here.

    In any case, as others have suggested, you can change the port so that even the Chinese military wouldn't be looking for an SSH server at your IP.  I don't do that because of the following:

    Certainly, you want access to be as limited as possible.  For WebAdmin and Shell Access, I limit the allowed networks to just a few IPs:

    • "my_user_name (Address)" if accessing via Remote Access
    • My office IPs
    • My Home IP and that of the local admin(s)
    • Internal IPs of the local admin(s), not "Internal (Network)"
    • Sophos Support IPs are added when a ticket is opened with them

    If you do this, there is virtually zero exposure even if the devs haven't yet applied a fix.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0

    I've seen questions like this many times over the years.  In most cases, it's easier for the developers to apply a fix to the version that they already have hardened and certified.  It's a lot of effort to test, harden and vet a new version.  I suspect that this is what's happened here.

    In any case, as others have suggested, you can change the port so that even the Chinese military wouldn't be looking for an SSH server at your IP.  I don't do that because of the following:

    Certainly, you want access to be as limited as possible.  For WebAdmin and Shell Access, I limit the allowed networks to just a few IPs:

    • "my_user_name (Address)" if accessing via Remote Access
    • My office IPs
    • My Home IP and that of the local admin(s)
    • Internal IPs of the local admin(s), not "Internal (Network)"
    • Sophos Support IPs are added when a ticket is opened with them

    If you do this, there is virtually zero exposure even if the devs haven't yet applied a fix.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data
Unfiltered HTML