OpenSSH - patching CVE-2018-15473
-
Hi,
I'm saddled with fixing vulnerabilities detected by a PCI scan. The scanner looked at the OpenSSH version number from pfSense which is 7.5, and said that we need to upgrade to version 7.8 or later, in order to fix vulnerability CVE-2018-15473. I thought perhaps pfSense's OpenSSH has already patched, but that its version number had been kept at the base system number. However, the last patch for openSSH on FreeBSD that is shown at https://www.freebsd.org/security/advisories.html is from 2017-08-10, which predates the vulnerability I'm trying to fix.
What are my options? Should I try to update OpenSSH package on the pfSense?
Thanks! -
https://www.openwall.com/lists/oss-security/2018/08/24/1
-
Interesting conversation about relative importance of fixing bugs vs adding to the attack surface.
In this case, OpenSSH was patched, but FreeBSD doesn't use a patched version. The only options I see for passing the PCI scan are to either install a later version of OpenSSH for FreeBSD, which doesn't appear to exist, or to patch it myself and self-certify. If the latter, what tools are required and how do you patch existing software?
-
I see that the latest FreeBSD version 12.2, released yesterday, October 29, 2020 has upgraded to OpenSSH version 7.9p1. pfSense is on FreeBSD 11.3-STABLE, and uses OpenSSH 7.5. Is there a way to use a package compiled with a later OS?
-
i don't think there is any reason to patch this. it's trivial
your firewall ssh-port shouldn't be (have to be) available any devices on your network.... except perhaps from your own secure management network.
to pass the scan, either disable ssh completely or lock it down with rules so only authorized devices can access it.
-
^ exactly..
This seems to come up a lot where pci scans are not done correctly.. While true your firewall is in the path that pci data will flow, and then needs to be scanned.
SSH should never be open to this path.
Yes all your public facing IPs need to be scanned - why do you have ssh open to the public?
-
You hit the nail on the head! All I had to do was create a firewall rule to block port 22 on WAN.
Thanks for helping me rethink my issue. -
Why was ssh ever allowed on the wan in the first place? Out of the box nothing is open on the wan..
If you had to create a specific rule to block it, I would guess your firewall rules are too open on the wan in the first place.
I would hope you just locked down the rules you had in place to the specific ports that need to be allowed for your services to work, and didn't just put in a block for ssh above whatever rules you had..
-
@fperloff said in OpenSSH - patching CVE-2018-15473:
Interesting conversation about relative importance of fixing bugs vs adding to the attack surface.
In this case, OpenSSH was patched, but FreeBSD doesn't use a patched version. The only options I see for passing the PCI scan are to either install a later version of OpenSSH for FreeBSD, which doesn't appear to exist, or to patch it myself and self-certify. If the latter, what tools are required and how do you patch existing software?
FreeBSD itself has a newer version available in the ports tree. I dont know specifics about pfSense packages though.
