HI all,
First time post.
Trying to resolve this so as not to show on vulnerability scanner as being open.
Server has been flagged by an interested third party with above two CVEs relating to OpenSSH.
CVE-2024-6387 OpenSSH SSHD Security Regression CVE-2024-39894. Information I have indicates it was patched in July 2024. I read that this fix may have been undone by a subsequent patch. Machine is currently patched to current updates. Only way to move past OpenSSH_9.6p1 is to download a tgz and create another service. Then I will break the patching mechanism. Any thoughts gratefully received.
1 Like
Welcome. Letâs see if we can get this sorted.
HmmmâŠ
-
How did you determine that your scanner is not showing a false positive?
Or are you asking us to refute the positive result?
(If so, see CVE-2024-6387 | Ubuntu and https://ubuntu.com/security/CVE-2024-39894 )If your scanner is showing a positive result after installing the patched package, thatâs usually a false positive. False positives are most commonly a scanner issue, and cannot be fixed by Ubuntu. They must be fixed by the scanner vendor.
-
Letâs double-check that.
Please show us the complete output of
apt list openssh-client openssh-server -
Iâm assuming you have read https://ubuntu.com/security/cves/about#security
Particularly (emphasis ours)âŠUpdate manually
You can also get patches as soon as they become available by upgrading all your installed packages to the latest version. You can do this by running the following command in your terminal:
sudo apt update && sudo apt upgradeWe recommend not to cherry-pick updates from individual packages. If no fix is available yet for a specific CVE, you can check if there is any mitigation or further information in the notes of the CVE page.
1 Like
Thank you for your reply. I will digest this.
Here is the easiest reply, first.
âroot@localhost:~# apt list openssh-client openssh-server
Listing⊠Done
openssh-client/noble-updates,noble-security,now 1:9.6p1-3ubuntu13.11 amd64 [installed,automatic]
openssh-server/noble-updates,noble-security,now 1:9.6p1-3ubuntu13.11 amd64 [installed]â
Okay, letâs take these one at a time.
CVE-2024-39894 | Ubuntu :
Your installed version is 1:9.6p1-3ubuntu13.11 which is higher (newer) than 1:9.6p1-3ubuntu13.4, which means you have that patch already.
if your scanner says itâs vulnerable, that looks like a false positive.
https://ubuntu.com/security/CVE-2024-6387 :
Your installed version is 1:9.6p1-3ubuntu13.11 which is higher (newer) than 1:9.6p1-3ubuntu13.3, which again means you have that patch already.
if your scanner says itâs vulnerable, that looks like another false positive.
Itâs occasionally possible that there might be something unusual going on that requires further investigation, but thatâs very rare, and would usually be mentioned on the linked CVE pages.
For something widely installed like an ssh server, that kind of âsomething unusualâ (like a CVE marked âfixâ that actually isnât fixed) would show up in the trade press. A lot of people would care about that. I havenât seen anything like that in the press recently.
False positives from scanners, though, are very common. Again, false positives cannot be âfixedâ by Ubuntu (itâs not vulnerable! Itâs fixed!) â those are issues with the scanner.
Does that help?
1 Like
Thank you @ian-weisser sir!
That does gives me a more confidence. It was flagged by our insurer. We are now aware that this demonstrates that at least two different commercial vulnerability scanners are showing a false positive.
1 Like
Try using an OVAL compliant scanner:
4 Likes