We received from our security department using Tenable that OpenSSH 9.7.3013.1000 is vulnerable asking us to upgrade to OpenSSH version 9.8 or later.

Looking for an ETA to forward to our security department.

Thanks

------------------------------
Scott Gruber
------------------------------

CVE-2024-39894 is only about hidden text (ie: remote su or sudo) prompts, which doesn't sound particularly threatening.

CVE-2024-6387 is a potential RCE do to a race condition in Login Grace Timeout. This can be fixed set setting the value to 0 in sshd_config, which could cause other problems if you use SSH frequently.

The race condition is between sshd and Linux glibc syslog(), and may not be relevant for AIX. If you have anything on that, please post it.

https://www.ibm.com/support/pages/security-bulletin-aix-vulnerable-arbitrary-code-execution-cve-2024-6387-due-openssh

IBM posted a CVE for that, but only for 9.2.

Otherwise IBM is publishing (for unknown reasons) SSH updates on their MRS site: https://www.ibm.com/resources/mrs/assets/DirectDownload?source=aixbp&lang=en_US

9.7.3013.1000 is the latest they have there.

That's not really the AIX Open Source area, those are from IBM and not part of the AIX Toolkit.

------------------------------
========================
Russell Adams
https://adamssystems.nl/
========================
------------------------------

Original Message:
Sent: Tue December 17, 2024 11:15 AM
From: Scott Gruber
Subject: OpenSSH 9.7.3013.1000 vulnerable CVE-2024-6387,CVE-2024-39894

We received from our security department using Tenable that OpenSSH 9.7.3013.1000 is vulnerable asking us to upgrade to OpenSSH version 9.8 or later.

Looking for an ETA to forward to our security department.

Thanks

------------------------------
Scott Gruber
------------------------------

Do You have any update/news on this case?

I was asked on my side what to do with "https://www.tenable.com/plugins/nessus/201194" on some of our AIX system with OpenSSH 9.7.3013.1000.

I'm not able to find any information from IBM regarding this issue.

=================
Tom Kristen Hansen
=================

------------------------------
Tom Kristen Hansen
------------------------------

Original Message:
Sent: Tue December 17, 2024 11:15 AM
From: Scott Gruber
Subject: OpenSSH 9.7.3013.1000 vulnerable CVE-2024-6387,CVE-2024-39894

We received from our security department using Tenable that OpenSSH 9.7.3013.1000 is vulnerable asking us to upgrade to OpenSSH version 9.8 or later.

Looking for an ETA to forward to our security department.

Thanks

------------------------------
Scott Gruber
------------------------------

I found this which solved the case; https://www.ibm.com/support/pages/aix-security-vulnerability-scanner-tools-fails-detect-openssh-version

OpenSSH 9.7.3013.1000 is actually version 9.8.

------------------------------
Tom Kristen Hansen
------------------------------

Original Message:
Sent: Tue December 17, 2024 11:15 AM
From: Scott Gruber
Subject: OpenSSH 9.7.3013.1000 vulnerable CVE-2024-6387,CVE-2024-39894

We received from our security department using Tenable that OpenSSH 9.7.3013.1000 is vulnerable asking us to upgrade to OpenSSH version 9.8 or later.

Looking for an ETA to forward to our security department.

Thanks

------------------------------
Scott Gruber
------------------------------