Re: CSS and Nessus Scans (SSH vulernability)

zebula · ‎03-07-2011

I have a CSS 11503 running 8.20.3.03. I have performed a Nessus vulnerability scan against the CSS. The scans have shown vulnerabilities against SSH. It is reporting that we need to upgrade to OpenSSH version 5.0 or later.

If I upgrade to 8.20.5.01 will that address this issue? I looked thru the caveats for the other code versions and I do not see that being addressed as an issue or a fix.

If not is there something else I can do address this issue?

Any help would be appreciated.

Cesar Roque · ‎03-08-2011

Hi,

The openssh version that the CSS runs depend on the WebNS software version. 

For example 8.20.5.01 runs OpenSSH:
 
 OpenSSH_3.0.2p1


Do you have the vulnerability number, it should start with CVE-  




-------------------------
Cesar R

--------------------- Cesar R ANS Team

zebula · ‎03-09-2011

Cesar,

The scans identified a few vulnerabilities,

CVE-2002-0639
CVE-2002-0640

CVE-2003-0682
CVE-2003-0693
CVE-2003-0695

CVE-2002-0575

CVE-2002-0083

CVE-2003-0386

CVE-2008-1483

I noticed that you state that 8.20.5.01 runs OpenSSH_3.0.2p1. This is the same SSH that 8.20.3.03 is reporting. So upgrading does not look to be a solution.

Side note I am not leveraging the Web NS function. I just SSH or console into the CSS.

Cesar Roque · ‎03-09-2011

These vulnerabilities are related with this bug CSCsq48414. Basically teh bug says that these CVEs dont apply to the CSS.

--------------------- Cesar R ANS Team