[talk] PCI scan and SSHD false positive
George Rosamond
george at ceetonetechnology.com
Tue Sep 1 16:21:19 EDT 2015
I have a box that failed a PCI scan solely based on the recent SSHD
vulnerabilities CVS-2014-2653.
Needless to say, the box, running FreeBSD 10.2-stable r287217 is not
vulnerable, as 10.2 vulnerabilities only affected up to r285978, plus
PAM is disabled, no DNSSEC, no passwd auth, etc.
However, since the SSHD version is OpenSSH_6.6.1p1, and 6.6 is affected,
scanners determine it's vulnerable.
I saw a Reddit thread about this in relation to pfSense, and the results
are the same. It's a patched version of SSHD, and the stupid scanners
only determine pass/fail based on version.
I am having a hard time conveying this to the PCI scanner through the
client. I assume every box not running SSH 6.7 is deemed vulnerable,
since that's all these people are looking for.
How have people dealt with this?
g
More information about the talk
mailing list