Inaccurate information about SSH vulnerabilities from security scanners

Technote (FAQ)


Question

Why does a security scan of my DataPower appliance say that its SSH server has security vulnerabilities?

Cause

Most security scanners look for active SSH ports and attempt to find vulnerabilities on the device being scanned. A combination of factors can make this result in false positives.

Answer

The SSH protocol requires that servers identify themselves with a version string. The version string is used by SSH client software to set a variety of compatibility and bug workaround behaviors. The DataPower SSH server identifies itself with the following string:

SSH-2.0-OpenSSH_3.8.1p1

Changing that string could cause interoperability issues and prevent some clients from being able to connect to the DataPower appliance's SSH server. For maximum interoperability the DataPower firmware uses an old version string even though it has actually been kept up to date with relevant patches for security vulnerabilities that have arisen since the indicated version.

Many security scanners report SSH vulnerabilities based solely on the contents of this string without actually probing for whether the vulnerability in question is really present. The result is a false positive.

Despite what these security scanners may say (based solely on this version string) the DataPower firmware is not vulnerable to any of the following security vulnerabilities. A Minimum Firmware version of "n/a" indicates that no firmware version was ever vulnerable.

Vulnerability Identifier
Minimum Firmware Version
anything <= CVE-2004-2069
n/a
CVE-2004-2760
n/a
CVE-2005-2666
n/a
CVE-2005-2797
n/a
CVE-2005-2798
n/a
CVE-2006-0225
n/a
CVE-2006-0393
n/a
CVE-2006-0883
n/a
CVE-2006-4924
n/a
CVE-2006-4925
n/a
CVE-2006-5051
3.5.0.19, 3.5.1.7, 3.6.0.2, 3.6.1.0
CVE-2006-5052
n/a
CVE-2006-5229
n/a
CVE-2006-5794
n/a
CVE-2007-0726
n/a
CVE-2007-2243
n/a
CVE-2007-2768
n/a
CVE-2007-3102
n/a
CVE-2007-4654
n/a
CVE-2007-4752
n/a
CVE-2008-1483
n/a
CVE-2008-1657
n/a
CVE-2008-3234
n/a
CVE-2008-3259
n/a
CVE-2008-4109
n/a
CVE-2008-5161
3.7.1.12, 3.7.2.8, 3.7.3.7, 3.8.0.1, 3.8.1.0
CVE-2010-4478
n/a
CVE-2010-4755
n/a
CVE-2011-5000
n/a
CVE-2012-0814
n/a
CVE-2014-1692
n/a
CVE-2014-2532
n/a
CVE-2014-2653
n/a
http://www.openssh.com/txt/portable-keysign-rand-helper.adv
n/a
anything specific to ChallengeResponseAuthentication
n/a
anything specific to GSSAPI
n/a
anything specific to JPAKE
n/a
anything specific to Mac OS X
n/a
anything specific to PAM
n/a
anything specific to SSHv1
n/a
anything specific to ssh-keysign
n/a
anything specific to ssh-rand-helper
n/a
anything specific to TCP forwarding
n/a
anything specific to X forwarding
n/a


Cross reference information
Segment Product Component Platform Version Edition
Business Integration WebSphere DataPower B2B Appliance XB60 Not Applicable Firmware 4.0.2, 4.0.1, 5.0.0, 6.0.0 Edition Independent
Business Integration WebSphere DataPower B2B Appliance XB62 Not Applicable Firmware 4.0.2, 4.0.1, 5.0.0, 6.0.0, 6.0.1.0 Edition Independent
Business Integration WebSphere DataPower Integration Appliance XI50 Not Applicable Firmware 4.0.2, 4.0.1, 5.0.0, 6.0.0 Edition Independent
Business Integration WebSphere DataPower Integration Appliance XI52 Not Applicable Firmware 4.0.2, 4.0.1, 5.0.0, 6.0.0, 6.0.1.0 Edition Independent
Business Integration WebSphere DataPower Integration Blade XI50B Not Applicable Firmware 4.0.2, 4.0.1, 5.0.0, 6.0.0 Edition Independent
Business Integration WebSphere DataPower Low Latency Appliance XM70 Not Applicable Firmware 4.0.1, 4.0.2, 5.0.0, 6.0.0 Edition Independent
Business Integration WebSphere DataPower Service Gateway XG45 Not Applicable Firmware 4.0.2, 5.0.0, 6.0.0, 6.0.1.0 Edition Independent
Business Integration WebSphere DataPower XML Accelerator XA35 Not Applicable Firmware 4.0.2, 4.0.1, 5.0.0 Edition Independent
Business Integration WebSphere DataPower XML Security Gateway XS40 Not Applicable Firmware 4.0.2, 4.0.1, 5.0.0, 6.0.0 Edition Independent
Business Integration WebSphere DataPower Integration Appliance XI52 Virtual Edition Not Applicable VMware ESXi, VMware ESX 5.0.0, 6.0.0, 6.0.1.0 Edition Independent
Business Integration WebSphere DataPower Service Gateway XG45 Virtual Edition Not Applicable VMware ESXi, VMware ESX 5.0.0, 6.0.0, 6.0.1.0 Edition Independent

Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

WebSphere DataPower SOA Appliances
General

Software version:

4.0.1, 4.0.2, 5.0.0, 6.0.0, 6.0.1, 7.0.0

Operating system(s):

Firmware

Software edition:

Edition Independent

Reference #:

1320061

Modified date:

2014-07-11

Translate my page

Machine Translation

Content navigation