Recently a server maintained by me which was running openSuSe 13.2 was banned by campus security of our organisation due to apparent vulnerability with nessus ID 86122. A google search revealed that this ID refers to a vulnerability that allows brute force attacks on the ssh server (https://www.tenable.com/plugins/index.php?view=single&id=86122). As a fix it is recommended to upgrade the openSSH version to 7.0 or higher. I upgraded the opensuse version to OpenSuSe Leap but it also contains openSSH 6.6 which is still considered vulnerable. I tried to find a corresponding RPM for higher versions but there seem to be none that would work with openSuSe. I tried then to compile the version 7.1 from source code which, after some trial and error in configuring resulted in apparent success. However, checking the versions of ssh and sshd, I have seen that the former was indeed updated to 7.1 whereas the latter was still 6.6.
Does anyone has an idea how it is possible to get openSSH 7.0+ working on openSuSe as daemon (sshd). Did I messed something up during the compilation?
Since this vulnerability is considered to be a high degree risk, I wonder whether openSuSe developers plan to upgrade the openSSH version in any further stable release.
Does anyone have an idea how to fix this issue?
Hi
You need to check the CVE reference the scanner is reporting about, since it would appear they just check the version (not the vulnerability) and then look at the changelog for openssh In most cases fixes are backported, not just add the next release.
Hm, the CVE for this issue is CVE-2015-5600. I looked for it in the security update section but could not find any mentioning of it. Is there a way to figure out whether it was fixed? I found some references to SUSE server versions for which this bug was fixed but none for openSUSE. Can one then conclude that this issue was actually never an issue for openSUSE or that it was at least fixed for openSUSE as well since Norell new of that? Or can it be still a real problem?
It was fixed I remember seeing the update. But it was a back port and some testing software only looks at the version number not the fixes. There should be a patch log some place but I don’t know where it is located.
Novell not Norell - my bad. I mean SUSE. I found the second link you posted but since there was no mentioning of openSUSE I was not sure whether it says anything about it. Is it safe to assume that generally everything that is patched for SUSE is patched for openSUSE as well?
For older versions, eg openSUSE 13.2 check the rpm changelog.
So if you get a hit like that again, you should be able to provide enough info back to the Security Team that all is ok, that if they really want to check, use an actual test rather than a look at version numbers
