AnsweredAssumed Answered

Serv-U False positive (wrongly identified as SSH)

Question asked by Peter Kruty on Jul 17, 2014
Latest reply on Jul 24, 2014 by Craig Kagawa

Qualys wrongly identifies Serv-U's as SSH Secure Shell.  The vulnerability is for a completely different product.  Here is the CVE for the vulnerability:

 

http://www.cvedetails.com/cve/CVE-2002-1644/

 

We have a FAQ describing the problem: http://www.serv-u.com/kb/2147/False-SSH-Security-Warning

 

In short:

 

Serv-U identifies itself to SSH clients as "SSH-2.0-Serv-U_15". The first part identifies to clients to use version 2 of the SSH protocol. The last part identifies the server software and version. Certain security tools or firms interpret this string as identifying the software as SSH Secure Shell v2, but the security warning which is issued is a false positive..

 

 

Serv-U does not use the incorrectly identified version of SSH, and using Serv-U poses no security threat.

Outcomes