topic Re: FTD OpenSSH < 9.8 RCE in Network Security

FTD OpenSSH < 9.8 RCE

GilR — Wed, 02 Oct 2024 16:13:11 GMT

Hello,

We have Cisco 1140 FTDs managed by FMC that are showing up in tenable with OpenSSH < 9.8 RCE vulnerabilities. The closest Cisco advisory I could find regarding this is this: https://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-openssh-rce-2024.html and we have applied the 7.2.8.1 update to FMC and the FTDs and it is still showing up as having an OpenSSH version of 9.1. Is there a different fix for this?

Re: FTD OpenSSH < 9.8 RCE

GSIT1 — Mon, 28 Oct 2024 10:01:58 GMT

our Cisco FRP1120 has same problem, upgraded to 7.4.2 but still reporting the OpenSSH v9.1 bug CVE-2024-6387

Re: FTD OpenSSH < 9.8 RCE

ahollifield — Mon, 28 Oct 2024 12:00:23 GMT

Cisco uses a custom fork of OpenSSH called CiscoSSH in their security products and is maintained and versioned separately than OpenSSH. Vulnerability scanners do not do a proper job of detecting the "version" of CiscoSSH. I would open a TAC case or work with your account team for an official answer but this could be a false positive. Also why not 7.4.2.1?

Re: FTD OpenSSH < 9.8 RCE

Marvin Rhoads — Mon, 28 Oct 2024 15:48:36 GMT

As @ahollifield mentioned, Cisco's fork of OpenSSH fixes that vulnerability as of 7.4.2. Scanners will only pull the OpenSSH v9.1 version number on which CiscoSSH is based and not distinguish Cisco's fixes that are applied to that code branch.

Reference confirming the fix: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-openssh-rce-2024

Also agree that you should patch to 7.4.2.1 for a few additional bug and vulnerability fixes.