https://community.checkpoint.com/t5/General-Topics/OpenSSH-Vulnerability-detection/m-p/248678#M41572 <P>In general, Check Point is very serious about product vulnerabilities. The Critical and High CVEs are fixed in a record time, especially when compared against competitors. Now, to address your questions:<BR /><BR />1. "Vulnerable - but not exploitable" means that although a specific component might be vulnerable to an attack, it cannot be exploited, even theoretically, as part of specific Check Point products. Usually it is the case for those parts of external libraries which are not in use, although present.</P> <P>If you cannot take a responsible reporting from the vendor as trusted and require additional proof, you can always request additional information via a TAC ticket or by reaching out to your local Check Point office.</P> <P>2. Check Point always updates or even provides custom patches for those CVEs that present a significant risk to our customers. If you are not familiar with the scoring system, <A href="https://en.wikipedia.org/wiki/Common_Vulnerability_Scoring_System" target="_blank">take a look here</A>; there is a decent explanation of how it is assessed.&nbsp;<BR /><BR />There is always a risk for any information or network system, it is never zero.&nbsp;<SPAN data-huuid="1599459801440405553">A "low risk" CVE score, generally in the range of 0.1 to 3.9, indicates a vulnerability with minimal severity.&nbsp;</SPAN><SPAN data-huuid="1599459801440407244">It means the impact on an organization's operations would be very limited at best, and most probably will just cause an inconvenience.&nbsp;</SPAN><SPAN data-huuid="1599459801440404839">Exploiting these vulnerabilities typically requires local or physical access to the system.<SPAN class="pjBG2e" data-cid="cf590a28-e74a-4e54-ac48-e025ffcd5b19"><SPAN class="UV3uM">&nbsp;</SPAN></SPAN></SPAN></P> <P><SPAN data-huuid="1599459801440404839"><SPAN class="pjBG2e" data-cid="cf590a28-e74a-4e54-ac48-e025ffcd5b19"><SPAN class="UV3uM">In other words, having an admin password for your firewalls in the hands of a rogue admin is a higher risk than a low vulnerability&nbsp; CVE. If it can only be exploited by accessing your system with an admin password, it is more a question of whether you trust your engineers and administrators.<BR /><BR /></SPAN></SPAN></SPAN>I hope this makes sense. Let me know if you have more questions.<BR /><BR />&nbsp;</P> Mon, 12 May 2025 15:03:41 GMT _Val_ 2025-05-12T15:03:41Z https://community.checkpoint.com/t5/General-Topics/OpenSSH-Vulnerability-detection/m-p/248673#M41570 <P>Hi,</P><P>I've been digging through information in regards to the vulnerabilities in OpenSSH that were found during our vulnerability and penetration testing.&nbsp; We currently run R81.20 which has OpenSSH 7.8.&nbsp; I've also been reading some of the other posts in the community.&nbsp;&nbsp;<A href="https://community.checkpoint.com/t5/General-Topics/OpenSSH-upgrade-R81-10/m-p/167999#M27914" target="_blank" rel="noopener">OpenSSH upgrade R81.10 - Check Point CheckMates</A></P><P>Below OpenSSH 8.0 has the following CVE's reported.</P><P>CVE-2018-20685<BR />CVE-2019-6109<BR />CVE-2019-6110<BR />CVE-2019-6111</P><P>Below OpenSSH 9.6 reports the follwing CVE's:</P><P>CVE-2023-48795<BR />CVE-2023-51384<BR />CVE-2023-51385</P><P>Now I've been reviewing SK65269&nbsp;<A href="https://support.checkpoint.com/results/sk/sk65269" target="_blank" rel="noopener">sk65269 - Status of OpenSSH CVEs</A> and the list of OpenSSH CVE's.&nbsp; CheckPoint has indicated that some of these are deemed "<STRONG>Vulnerable -&nbsp;</STRONG>but not exploitable'</P><P>I wanted to raise the questions</P><P>1.&nbsp; What does "<STRONG>Vulnerable -&nbsp;</STRONG>but not exploitable" actually mean?&nbsp; Does it mean that even though the version is vulnerable, it cannot be exploited?&nbsp; If this is true, is there any other information or data available that supports this?&nbsp; On paper, to see the word 'vulnerable' even though it's not exploitable still raises questions and concerns for the higher ups on such a vague and somewhat seemingly contradictory response.&nbsp; The clarification's at the bottom do not have an explanation to this status.</P><P>2.&nbsp; Why is Check Point not actively updating these components?&nbsp; I get that some of the responses state that this is a low risk and that the odds of this ever being exploited are low, however, it has always been the practice that one of the best resolutions in cybersecurity for any vulnerability is to patch it.&nbsp; Again, I understand "low risk", but it's still "risk".&nbsp; Ideally we want to eliminate "risk" as much as possible.&nbsp; So why can't CheckPoint include the fixed OpenSSH versions and not have this come up?&nbsp; And at some point are they?</P> Mon, 12 May 2025 14:17:46 GMT https://community.checkpoint.com/t5/General-Topics/OpenSSH-Vulnerability-detection/m-p/248673#M41570 jberg712 2025-05-12T14:17:46Z https://community.checkpoint.com/t5/General-Topics/OpenSSH-Vulnerability-detection/m-p/248674#M41571 <P>1) In my mind, what that really means is that something is indeed vulnerable, but way to exploit that is literally non-existent.</P> <P>2) I really cant answer that question, you should probably ask your local SE or open TAC case to get an official answer.</P> <P>Andy</P> Mon, 12 May 2025 14:47:38 GMT https://community.checkpoint.com/t5/General-Topics/OpenSSH-Vulnerability-detection/m-p/248674#M41571 the_rock 2025-05-12T14:47:38Z https://community.checkpoint.com/t5/General-Topics/OpenSSH-Vulnerability-detection/m-p/248678#M41572 <P>In general, Check Point is very serious about product vulnerabilities. The Critical and High CVEs are fixed in a record time, especially when compared against competitors. Now, to address your questions:<BR /><BR />1. "Vulnerable - but not exploitable" means that although a specific component might be vulnerable to an attack, it cannot be exploited, even theoretically, as part of specific Check Point products. Usually it is the case for those parts of external libraries which are not in use, although present.</P> <P>If you cannot take a responsible reporting from the vendor as trusted and require additional proof, you can always request additional information via a TAC ticket or by reaching out to your local Check Point office.</P> <P>2. Check Point always updates or even provides custom patches for those CVEs that present a significant risk to our customers. If you are not familiar with the scoring system, <A href="https://en.wikipedia.org/wiki/Common_Vulnerability_Scoring_System" target="_blank">take a look here</A>; there is a decent explanation of how it is assessed.&nbsp;<BR /><BR />There is always a risk for any information or network system, it is never zero.&nbsp;<SPAN data-huuid="1599459801440405553">A "low risk" CVE score, generally in the range of 0.1 to 3.9, indicates a vulnerability with minimal severity.&nbsp;</SPAN><SPAN data-huuid="1599459801440407244">It means the impact on an organization's operations would be very limited at best, and most probably will just cause an inconvenience.&nbsp;</SPAN><SPAN data-huuid="1599459801440404839">Exploiting these vulnerabilities typically requires local or physical access to the system.<SPAN class="pjBG2e" data-cid="cf590a28-e74a-4e54-ac48-e025ffcd5b19"><SPAN class="UV3uM">&nbsp;</SPAN></SPAN></SPAN></P> <P><SPAN data-huuid="1599459801440404839"><SPAN class="pjBG2e" data-cid="cf590a28-e74a-4e54-ac48-e025ffcd5b19"><SPAN class="UV3uM">In other words, having an admin password for your firewalls in the hands of a rogue admin is a higher risk than a low vulnerability&nbsp; CVE. If it can only be exploited by accessing your system with an admin password, it is more a question of whether you trust your engineers and administrators.<BR /><BR /></SPAN></SPAN></SPAN>I hope this makes sense. Let me know if you have more questions.<BR /><BR />&nbsp;</P> Mon, 12 May 2025 15:03:41 GMT https://community.checkpoint.com/t5/General-Topics/OpenSSH-Vulnerability-detection/m-p/248678#M41572 _Val_ 2025-05-12T15:03:41Z https://community.checkpoint.com/t5/General-Topics/OpenSSH-Vulnerability-detection/m-p/248723#M41573 <P>Upgrading one component to a new version often requires upgrading other software components, which may create integration issues.<BR />As such, if we upgrade the version of a component like OpenSSH, it's only done as part of a version upgrade.<BR />Having said that, we do apply the relevant security patches to the underlying components as part of the JHF.</P> Mon, 12 May 2025 21:47:19 GMT https://community.checkpoint.com/t5/General-Topics/OpenSSH-Vulnerability-detection/m-p/248723#M41573 PhoneBoy 2025-05-12T21:47:19Z https://community.checkpoint.com/t5/General-Topics/OpenSSH-Vulnerability-detection/m-p/248724#M41574 <P>You got great answers by both Val and Dameon.</P> <P>Andy</P> Mon, 12 May 2025 21:49:34 GMT https://community.checkpoint.com/t5/General-Topics/OpenSSH-Vulnerability-detection/m-p/248724#M41574 the_rock 2025-05-12T21:49:34Z