OpenSSH Vulnerabilities CVE-2023-48795, CVE-2023-51384 and CVE- 2023-51385

search cancel

OpenSSH Vulnerabilities CVE-2023-48795, CVE-2023-51384 and CVE- 2023-51385

book

Article ID: 370893

calendar_today

Updated On:

Products

VMware vSphere ESXi 7.0 VMware vSphere ESXi 8.0

Issue/Introduction

^{Customer vulnerability scanners will detect open SSH vulnerabilities.}

^{CVE-2023-48795 priority is medium (CVSS score 5.9)}

^{CVE-2023-51384 priority is medium (CVSS score is 5.5)}

^{CVE-2023-51385 priority is medium (CVSS score is 6.5)}

Environment

^{VMware vSphere Esxi 7.x}

^{VMware vSphere Esxi 8.x}

Cause

^{CVE-2023-48795 (CVSS 5.9) "Terrapin": ESXi does not enable chacha20-poly1305 due to FIPS. CBC ciphers are also not used due to CTR being superior. Thus, ESXi is not vulnerable.

CVE-2023-51384 (CVSS 5.5) ESXi does not use ssh-agent, which only affects ssh client.

CVE-2023-51385 (CVSS 6.5) Affects ssh client only.}

Resolution

^{ESXi 7.x and 8.x are not vulnerable.}

^{Kindly note: The ESXi 8.0u3 has openssh version 9.6}

Additional Information

^{Since OpenSSH is one of the packages which comes as a complete installation bundle with Esxi we cannot upgrade it to specific version.}

^{Keep ssh disabled on your host unless it is required for troubleshooting purposes.}
^{To verify version run rpm -qa | grep openssh on vCenter CLI}

Feedback

thumb_up Yes

thumb_down No