[talk] PCI scan and SSHD false positive

George Rosamond george at ceetonetechnology.com
Tue Sep 1 16:21:19 EDT 2015


I have a box that failed a PCI scan solely based on the recent SSHD
vulnerabilities CVS-2014-2653.

Needless to say, the box, running FreeBSD 10.2-stable r287217 is not
vulnerable, as 10.2 vulnerabilities only affected up to r285978, plus
PAM is disabled, no DNSSEC, no passwd auth, etc.

However, since the SSHD version is OpenSSH_6.6.1p1, and 6.6 is affected,
scanners determine it's vulnerable.

I saw a Reddit thread about this in relation to pfSense, and the results
are the same.  It's a patched version of SSHD, and the stupid scanners
only determine pass/fail based on version.

I am having a hard time conveying this to the PCI scanner through the
client.  I assume every box not running SSH 6.7 is deemed vulnerable,
since that's all these people are looking for.

How have people dealt with this?

g




More information about the talk mailing list