topic Re: openssh/openssl in General Topics

openssh/openssl

Naana — Thu, 18 Jul 2024 14:04:31 GMT

Hello mates,

The current version of OpenSSH and OpenSSL on R81.20 is OpenSSH 7.8p1 and OpenSSL 1.1.1w. According to the Vulnerability Assessment reports, these versions are flagged as having vulnerabilities. What are the latest compatible versions ?

Re: openssh/openssl

PhoneBoy — Thu, 18 Jul 2024 16:45:47 GMT

These components should be patched against the relevant CVEs.
See the following SKs:

Status of OpenSSL CVEs: https://support.checkpoint.com/results/sk/sk92447
Status of OpenSSH CVEs: https://support.checkpoint.com/results/sk/sk65269

Re: openssh/openssl

genisis__ — Wed, 12 Feb 2025 22:25:46 GMT

We are running R82 with JHFA10 and when we ran a scan against this, was surprised it picked up OpenSSH CVE's from 2018, and 2019 (They are listed in SK65269).

I raised a TAC case and was told this is not a TAC issue. Well CVE's from 2018/2019 on the latest build..hmm I don't think there is an excuse as to why OpenSSH has not been updated to resolve these issues, any chance we can get an update as to when OpenSSH is going to be updated to non-vulnerable version?

Re: openssh/openssl

Bob_Zimmerman — Thu, 13 Feb 2025 06:34:43 GMT

That's more an issue with vulnerability scanners being terrible wastes of money. 😜 I keep getting scan results saying systems are vulnerable to CVE-2023-48795, which is categorically not a vulnerability on versions of OpenSSH before 9.5. They basically look at the version in the service banner, ignore it, and report every CVE which has ever existed for the application, no matter whether it represents an actual vulnerability in that environment or not.

Re: openssh/openssl

genisis__ — Thu, 13 Feb 2025 09:31:29 GMT

I agree - pen test reports never seem to actually indicate what was required in order to actually get to the point they could scan the device.
So it could be a critical vulnerability but the probability of exploit is low due to the layer of security that had to be bypassed in order to reach that point.

That said my comments are coming from the fact the SK from Checkpoint indicates the issue has not been fixed because they believe its a low priority (since 2019!).

Re: openssh/openssl

PhoneBoy — Thu, 13 Feb 2025 23:48:01 GMT

If you look at the CVSS scores for the CVEs, they rate between 3.1 and 5.3 (out of 10).
At best they are "low to medium" severity CVEs that require a privileged user on the platform to access a malicious SCP server to be exploited.
This is likely why we have made the determination this is relatively low risk.

I assume we will fix this once the underlying component is updated to a different version, which most likely won't happen outside of a new release.

Re: openssh/openssl

genisis__ — Fri, 14 Feb 2025 13:51:22 GMT

Thanks.