Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 8 replies
  • Subscribers 3 subscribers
  • Views 2595 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

OpenSSH Vulnerability

lelandv
With the recent announcement of vulnerabilities/exploites for OpenSSH compiled against OpenSSL, will there be a firmware upgrade to patch this, as the version installed in the product appears to be vulnerable?  (On the paid/licensed version of the product, of course)

Thanks

L.


This thread was automatically locked due to age.
  • 0
    Is this really a problem? - iTWire - OpenSSH developer plays down exploit rumours

    If you are concerned about this, you can simply disable SSH access or limit it to internal and VPN access.

    Or, is there something I'm not understanding?

    Thanks - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    I'm sure Astaro will integrate the latest patches into a firmware update, if they are applicable... however, I do recommend that you follow best practices and restrict access to the SSH service altogether; for customers that we manage, we setup a restricted access list (static IPs), a very short list, for SSH and Webadmin access...and for those we don't we always recommend they follow similar procedures.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

  • 0
    We do restrict access via SSH to the box itself.  My biggest concern was really the additional information on the supposed exploit being specifically against OpenSSH built on OpenSSL... given that OpenVPN is also built on OpenSSL, I'm trying to ascertain if there is any risk to the OpenVPN implementation as well.  If not, then fine, but given that the amount of "information" about the "vulnerability" is pretty thin on the ground at the moment, Bob (above) may well be right, and it could very well be a case of Intox + paranoia.  Better to be safe than sorry though.

    L.
  • 0 in reply to lelandv
    Leland, according to the article, the only potential danger (still not confirmed) was that a user who accessed SSH could change to a higher access level.  I can't imagine that there's any way such an exploit could be used to break into an SSL VPN server.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0
    Ok.. thanks Bob... should be okay then even if the threat is not INTOX.

    Thanks for the replies and insight.

    L.
  • 0 in reply to lelandv
    You bet... and, just because we're paranoid doesn't mean they're not out to get us! [;)]
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0
    I was afraid of that... oh dear :S

    [;)]
  • 0 in reply to lelandv
    To be a good firewall admin you need a very high level of paranoia and a good flack jacket cause the bastard are really out to get you. LOL[:)]