[BlueOnyx:27049] Re: PCI problem with OpenSSH

Michael Stauber mstauber at blueonyx.it
Fri Jun 14 02:23:52 -05 2024 

Hi Michael,

> I have a server that needs to pass a PCI Compliance scan. It passes 
> everything except an issue with OpenSSH that I am not sure how to mitigate.
> 
> The results show that the CVE ID is CVE-2020-15778
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15778 
> <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15778>
> 
> The threat description is:
> 
>     OpenSSH (OpenBSD Secure Shell) is a set of computer programs
>     providing encrypted communication sessions over a computer network
>     using the SSH protocol.
> 
>     OpenSSH contains the following vulnerabilities:
>     OpenSSH through 8.3p1 allows command injection in the scp.c toremote
>     function, as demonstrated by backtick characters in the destination
>     argument. NOTE: the vendor reportedly has stated that they
>     intentionally omit validation of "anomalous argument transfers"
>     because that could "stand a great chance of breaking existing
>     workflows. Affected Versions:
>     OpenSSH versions prior to 8.3
> 
> Anyone know if this can be fixed on a 5210R so it passes PCI Compliance?
See: https://nvd.nist.gov/vuln/detail/CVE-2020-15778 - which offers a 
better overview than than the legacy site mitre.org.

[root at 5210r ~]# rpm -q openssh-server --changelog|grep CVE-2020-15778
- Providing a kill switch for scp to deal with CVE-2020-15778

Or in more detail:

* Tue Feb 06 2024 Dmitry Belyavskiy <dbelyavs at redhat.com> - 8.0p1-24
- Providing a kill switch for scp to deal with CVE-2020-15778
   Resolves: RHEL-22870

Also see: https://access.redhat.com/errata/RHSA-2024:3166

On a RHEL system (or clone like AlmaLinux) the version number doesn't 
indicate if a problem was fixed (or not). RedHat mostly keeps the 
version numbers of RPMs the same during most (if not all) of the 
lifecycle of the OS.

They port back fixes and bump the release number. The changelog of the 
RPMs and the RedHat errata (see link above) indicate what was fixed when 
and in what version.

Security scanners that just check the version number of installed 
software are worthless.

On a current and fully updated 5210R you should have this version of 
OpenSSH:

[root at 5210r ~]# rpm -q openssh-server
openssh-server-8.0p1-24.el8.x86_64

And that's fixed.

To get the fools with their noobish PCI Compliance scanner off your back 
you might want to use APF or Firewalld to close port 22/TCP and then 
just open it up for the IP address or IP address ranges that you 
yourself use it from.

That way? When they come again and rattle your cage, nothing will answer 
them on the SSH port and they have nothing to complain about.

-- 
With best regards

Michael Stauber

More information about the Blueonyx mailing list