Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
jpage@securewor Frequent Contributor.
Frequent Contributor.
196 views

OpenSSH vulnerabilities

There are 2 recent OpenSSH Vulnerabilities that are listed with NIST.  I am not able to get information from HP if they are working on using upgrading OpenSSH to version 7 or 7.1.

OpenSSH < 6.9 Multiple Vulnerabilities - CVE-2015-5352

OpenSSH < 7.0 Multiple Vulnerabilities - CVE-2015-5600

(1) advice on where to look or submit requests for vulnerabilities

(2) what are others doing to pass PCI audits with pre-7 versions of OpenSSH running on the loggers and connectors.

Labels (2)
0 Likes
4 Replies
shezaf1 Acclaimed Contributor.
Acclaimed Contributor.

Re: OpenSSH vulnerabilities

(1) advice on where to look or submit requests for vulnerabilities

Ofer: You have two options – you can file a support vulnerability ticket which is then handled by HP ArcSight R&D, or you can contact HP security response center. That said, the latter would require you to prove that the system is vulnerable.

(2) what are others doing to pass PCI audits with pre-7 versions of OpenSSH running on the loggers and connectors.

Ofer: we have checked. Logger and connector server appliances (ConApp or ArcMC) are not vulnerable. The reason is that X11 forwarding and ChallengeResponseAuthentication, options required to exploit those vulnerabilities are disabled on those systems.

0 Likes
jpage@securewor Frequent Contributor.
Frequent Contributor.

Re: OpenSSH vulnerabilities

Thank you for your response.

I was am able to verify sshd_config settings (/opt/local/openssh/config/sshd_config):

ChallengeResponseAuthentication no

X11Forwarding no

0 Likes
jpage@securewor Frequent Contributor.
Frequent Contributor.

Re: OpenSSH vulnerabilities

Do you think there are any issues running a much older version of OpenSSH (arcsight-openssh-5.9.1-13).

The documentation for CVE-2015-5352 is not clear on whether or not X11Forwarding is set to know, perhaps its assumed to only be a vulnerability if it's set to yes.

Thanks again for your response.

0 Likes
shezaf1 Acclaimed Contributor.
Acclaimed Contributor.

Re: OpenSSH vulnerabilities

Note that we now published an official response to this issues:

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.