[talk] PCI scan and SSHD false positive

George Rosamond george at ceetonetechnology.com
Wed Sep 2 10:56:24 EDT 2015


Brian Coca:
> George,
> 
> Normally you get to do a remediation report on the audits,  I have
> used these to point out 'This is a false positive' and linked to
> proper docs and actual exploit tests then in the next 'round', the
> scanner is supposed to be updated to avoid the false positive.

Yes, that is what I did, and it was rejected.

> 
> This is my experience mostly tied to financial/big corp, smaller
> 'security' shops might not have their feedback formalized. Also I've
> dealt mostly with very bad auditors w/o much tech knowledge, just
> check boxes to fill, that said ....

It's a good point to note the type of firm doing the audit.

You would assume lots of hosts are running OpenSSH patched versions, not
just FreeBSD, and they clearly haven't experienced that.

> 
> My advice is to look at CVE, point out any discrepancies (no mention
> of BSD?) and ask to see successful exploit test, not only version
> checking. Also links to 'official' BSD advisories pointing out the
> versions (or lack thereof) affected by the vulnerability. The more
> docs you push to them that look 'official' the less they'll push back.
> 

Ha.. yeah!  An exploit test or a version check?  I think it would be
asking way too much to actually get an exploit test.  If they did, it
would have been a closed case even before the box was updated to the
OpenSSH patched version.

The FreeBSD sec advisory was sent to them... and I noted in detail why
we weren't affected.

> Sadly most audits I've seen are are blind 'runapp (nessus, metasploit,
> etc)  => pdf with logo => $$$$ => repeat'  with little to no thought
> involved other than making sure it is billable.
> But, good or bad, auditors normally respond to documentation, as much
> as possible and as 'official' as possible (mailing list ==  bad,
> website with advisory and a logo  == good).

Thanks for the feedback Brian, and also the offlist people.

I think Nessus is beyond these auditors though.  I can't imagine this is
anything more than version checks, SSLLab.com results, etc.

g



More information about the talk mailing list