[talk] PCI scan and SSHD false positive

George Rosamond george at ceetonetechnology.com
Tue Sep 1 16:21:19 EDT 2015

I have a box that failed a PCI scan solely based on the recent SSHD
vulnerabilities CVS-2014-2653.

Needless to say, the box, running FreeBSD 10.2-stable r287217 is not
vulnerable, as 10.2 vulnerabilities only affected up to r285978, plus
PAM is disabled, no DNSSEC, no passwd auth, etc.

However, since the SSHD version is OpenSSH_6.6.1p1, and 6.6 is affected,
scanners determine it's vulnerable.

I saw a Reddit thread about this in relation to pfSense, and the results
are the same.  It's a patched version of SSHD, and the stupid scanners
only determine pass/fail based on version.

I am having a hard time conveying this to the PCI scanner through the
client.  I assume every box not running SSH 6.7 is deemed vulnerable,
since that's all these people are looking for.

How have people dealt with this?


More information about the talk mailing list