Leon DuPree

IBM Claims False Positive for SSH vulnerability on Data Power?

Discussion created by Leon DuPree on Jan 5, 2015

IBM has claimed that the Qualys Scan for SSH is false positive on its Data Power Systems because interoperability.

It is important if anyone has documentation concerning this. Need proof in order to say it is a false positive

IBM documentation below

 

IBM Inaccurate information about SSH vulnerabilities from security scanners - United States

 

 

Inaccurate information about SSH vulnerabilities from security scanners

 

 

Technote (FAQ)


Question

Why does a security scan of my DataPower appliance say that its SSH server has security vulnerabilities?

Cause

Most security scanners look for active SSH ports and attempt to find vulnerabilities on the device being scanned. A combination of factors can make this result in false positives.

Answer

The SSH protocol requires that servers identify themselves with a version string. The version string is used by SSH client software to set a variety of compatibility and bug workaround behaviors. The DataPower SSH server identifies itself with the following string:

SSH-2.0-OpenSSH_3.8.1p1

Changing that string could cause interoperability issues and prevent some clients from being able to connect to the DataPower appliance's SSH server. For maximum interoperability the DataPower firmware uses an old version string even though it has actually been kept up to date with relevant patches for security vulnerabilities that have arisen since the indicated version.

Many security scanners report SSH vulnerabilities based solely on the contents of this string without actually probing for whether the vulnerability in question is really present. The result is a false positive.

Despite what these security scanners may say (based solely on this version string) the DataPower firmware is not vulnerable to any of the following security vulnerabilities. A Minimum Firmware version of "n/a" indicates that no firmware version was ever vulnerable.

 

Vulnerability Identifier

 

Minimum Firmware Version

anything <= CVE-2004-2069

n/a

CVE-2004-2760

n/a

CVE-2005-2666

n/a

CVE-2005-2797

n/a

CVE-2005-2798

n/a

CVE-2006-0225

n/a

CVE-2006-0393

n/a

CVE-2006-0883

n/a

CVE-2006-4924

n/a

CVE-2006-4925

n/a

CVE-2006-5051

3.5.0.19, 3.5.1.7, 3.6.0.2, 3.6.1.0

CVE-2006-5052

n/a

CVE-2006-5229

n/a

CVE-2006-5794

n/a

CVE-2007-0726

n/a

CVE-2007-2243

n/a

CVE-2007-2768

n/a

CVE-2007-3102

n/a

CVE-2007-4654

n/a

CVE-2007-4752

n/a

CVE-2008-1483

n/a

CVE-2008-1657

n/a

CVE-2008-3234

n/a

CVE-2008-3259

n/a

CVE-2008-4109

n/a

CVE-2008-5161

3.7.1.12, 3.7.2.8, 3.7.3.7, 3.8.0.1, 3.8.1.0

CVE-2010-4478

n/a

CVE-2010-4755

n/a

CVE-2011-5000

n/a

CVE-2012-0814

n/a

CVE-2014-1692

n/a

CVE-2014-2532

n/a

CVE-2014-2653

n/a

http://www.openssh.com/txt/portable-keysign-rand-helper.adv

n/a

anything specific to ChallengeResponseAuthentication

n/a

anything specific to GSSAPI

n/a

anything specific to JPAKE

n/a

anything specific to Mac OS X

n/a

anything specific to PAM

n/a

anything specific to SSHv1

n/a

anything specific to ssh-keysign

n/a

anything specific to ssh-rand-helper

n/a

anything specific to TCP forwarding

n/a

anything specific to X forwarding

n/a

Outcomes