Cache flow OpenSSH Security vulnerability

book

Article ID: 168612

calendar_today

Updated On:

Products

CacheFlow Appliance Software

Issue/Introduction

Cache Flow Open SSH security vulnerabilities

Cause

Recent Open SSH security vulnerabilities

Resolution

Here is a list of the known reported vulnerability numbers for SSH and how they apply to CacheFlow (CF) appliance software:
  1. CVE-1999-0634. This CVE is listed as "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER" on the NIST site. The indications for it are that "SSH is running". SSH is running, and it is a secure remote access method. This should be considered a "false positive", and given the NIST entry, it should probably be considered a defect in the scanning software. Refer to https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-0634
  2. CVE-2011-5000. Not vulnerable. CF does not build with the GSSAPI support.
  3. CVE-2011-0633. This CVE is listed as "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER" on the NIST site. It may be checking that port 80 is open and is accepting connections. If that is the case, that would be because explicit port 80 is being intercepted, likely as part of the recommended health checks performed by the switch. This should likely be considered a "false positive", and given the NIST entry, it should probably be considered a defect in the scanning software.
  4. CVE-2011-4327. Not vulnerable. CF's implementation of OpenSSH does not use a ssh-rand-helper to obtain entropy, nor does the CF software contain ptrace or ptrace-like commands.
  5. OpenSSH (CVE-2010-5107) - The way to mitigate the problem is to restrict access to the management SSH port of the CF via router ACL config (ie; allow only administrator IPs/network to access CF Mgt Console on TCP_22)
  6. OpenSSH 'schnorr.c'(CVE-2014-1692) - CF is not vulnerable because J-PAKE is not enabled.
  7. OpenSSH J-PAKE (CVE-2010-4478) - CF is not vulnerable because J-PAKE is not enabled
  8. OpenSSH verify_host_key SSHFP DNS RR(CVE-2014-2653) - This is a problem with the OpenSSH client behaviour when the server sends an unrecognized certificate. The server code is not impacted thus CF is not vulnerable.
  9. OpenSSH (CVE-2014-2532)- The CF CLI has no environment variables or allow environment variables to be configured from CLI. None of vulnerable code is enabled on CF and therefore the CF is not vulnerable.
  10. OpenSSH (CVE-2011-0539) - CF is not vulnerable because OpenSSH code is only used as SSH server. The vulnerable function, key_certify() is not used by the CF.