Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenSSH - patching CVE-2018-15473

    Scheduled Pinned Locked Moved Problems Installing or Upgrading pfSense Software
    9 Posts 4 Posters 1.3k Views 4 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F Offline
      fperloff
      last edited by

      Hi,
      I'm saddled with fixing vulnerabilities detected by a PCI scan. The scanner looked at the OpenSSH version number from pfSense which is 7.5, and said that we need to upgrade to version 7.8 or later, in order to fix vulnerability CVE-2018-15473. I thought perhaps pfSense's OpenSSH has already patched, but that its version number had been kept at the base system number. However, the last patch for openSSH on FreeBSD that is shown at https://www.freebsd.org/security/advisories.html is from 2017-08-10, which predates the vulnerability I'm trying to fix.
      What are my options? Should I try to update OpenSSH package on the pfSense?
      Thanks!

      1 Reply Last reply Reply Quote 0
      • H Offline
        heper
        last edited by

        https://www.openwall.com/lists/oss-security/2018/08/24/1

        1 Reply Last reply Reply Quote 0
        • F Offline
          fperloff
          last edited by

          Interesting conversation about relative importance of fixing bugs vs adding to the attack surface.

          In this case, OpenSSH was patched, but FreeBSD doesn't use a patched version. The only options I see for passing the PCI scan are to either install a later version of OpenSSH for FreeBSD, which doesn't appear to exist, or to patch it myself and self-certify. If the latter, what tools are required and how do you patch existing software?

          C 1 Reply Last reply Reply Quote 0
          • F Offline
            fperloff
            last edited by

            I see that the latest FreeBSD version 12.2, released yesterday, October 29, 2020 has upgraded to OpenSSH version 7.9p1. pfSense is on FreeBSD 11.3-STABLE, and uses OpenSSH 7.5. Is there a way to use a package compiled with a later OS?

            1 Reply Last reply Reply Quote 0
            • H Offline
              heper
              last edited by

              i don't think there is any reason to patch this. it's trivial

              your firewall ssh-port shouldn't be (have to be) available any devices on your network.... except perhaps from your own secure management network.

              to pass the scan, either disable ssh completely or lock it down with rules so only authorized devices can access it.

              1 Reply Last reply Reply Quote 0
              • johnpozJ Online
                johnpoz LAYER 8 Global Moderator
                last edited by

                ^ exactly..

                This seems to come up a lot where pci scans are not done correctly.. While true your firewall is in the path that pci data will flow, and then needs to be scanned.

                SSH should never be open to this path.

                Yes all your public facing IPs need to be scanned - why do you have ssh open to the public?

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                1 Reply Last reply Reply Quote 0
                • F Offline
                  fperloff
                  last edited by

                  You hit the nail on the head! All I had to do was create a firewall rule to block port 22 on WAN.
                  Thanks for helping me rethink my issue.

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ Online
                    johnpoz LAYER 8 Global Moderator
                    last edited by johnpoz

                    Why was ssh ever allowed on the wan in the first place? Out of the box nothing is open on the wan..

                    If you had to create a specific rule to block it, I would guess your firewall rules are too open on the wan in the first place.

                    I would hope you just locked down the rules you had in place to the specific ports that need to be allowed for your services to work, and didn't just put in a block for ssh above whatever rules you had..

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                    1 Reply Last reply Reply Quote 0
                    • C Offline
                      chrcoluk @fperloff
                      last edited by

                      @fperloff said in OpenSSH - patching CVE-2018-15473:

                      Interesting conversation about relative importance of fixing bugs vs adding to the attack surface.

                      In this case, OpenSSH was patched, but FreeBSD doesn't use a patched version. The only options I see for passing the PCI scan are to either install a later version of OpenSSH for FreeBSD, which doesn't appear to exist, or to patch it myself and self-certify. If the latter, what tools are required and how do you patch existing software?

                      FreeBSD itself has a newer version available in the ports tree. I dont know specifics about pfSense packages though.

                      pfSense CE 2.8.1

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.