1

I'm working on shoring up some vulnerabilities in our environment, and one of them is that we're on OpenSSH 8.9. Our security team has advised us to upgrade to 9.3, but I'm not seeing anything indicating this package is available for Ubuntu 22.04. Is there any way to upgrade to that version?

Kat Fitzgerald
  • 39
  • Please obtain information about which CVE's they think need fixing, that aren't included here. If they can't, I would suggest looking for a new security team that knows what they're talking about. Ubuntu patches LTS releases, so OpenSSH 8.9 in 22.04 should be at least as secure as any newer version. – Artur Meinild Jun 09 '23 at 15:24
  • Does this answer your question? Why don't the Ubuntu repositories have the latest versions of software? – Artur Meinild Jun 09 '23 at 15:27
  • 2
    Your security team are likely relying specifically on scanner results, which are typically incorrect. Ubuntu patches CVEs with patches cherrypicked and applied to the version in the Ubuntu repos and to my knowledge there are no CVEs that are not already patched in the packaging. Check the CVE tracker for more details, and have your 'security team' learn not to rely solely on their tools, and to actually check if the CVEs, etc. they're seeing reported are in fact patched. (This is why we use Rapid7 InsightVM to check all our systems' security with credentialed agent access) – Thomas Ward Jun 09 '23 at 16:10
  • 1
    (Disclaimer: I'm an IT Security Professional myself AND the IT Sec person at my employer and we regularly see these 'false positives' in scans which don't have credentialed access to the systems to see what versions are actually installed and compare that against the known security patches that have been released) – Thomas Ward Jun 09 '23 at 16:11
  • @ThomasWard-OnStrike These comments can be turned into an answer :) – Archisman Panigrahi Jun 09 '23 at 16:20
  • @ArturMeinild This is the CVE they're pointing to. We're on jammy right now which is marked as "needed". https://ubuntu.com/security/CVE-2023-28531

    Reading that link, it looks like we just need to do the upgrade manually rather than via the ubuntu repos?

     – Kat Fitzgerald Jun 09 '23 at 16:40
  • 2
    Does this answer your question? How can I tell if a CVE has been fixed in Ubuntu's repositories? – muru Jun 09 '23 at 16:41
  • Hmm this seems kinda strange - a CVE with priority "low" but severity score of 9.8? – Artur Meinild Jun 09 '23 at 16:49
  • @ArturMeinild CVE score != Ubuntu Security Team Assessment of Risk., – Thomas Ward Jun 09 '23 at 16:50
  • @KatFitzgerald If you are specifically worried then you need to upgrade to a newer Ubuntu release. The moment you try and switch to a different OpenSSH system yourself on your infrastructure you lose general security support and now have to manually recompile every time there's a security issue, and you lose automated patching. You would probably have to upgrade to a newer Ubuntu release than what you're using. – Thomas Ward Jun 09 '23 at 16:51
  • Yeah, and I know way less than you about that - so thanks! – Artur Meinild Jun 09 '23 at 16:51
  • 2
    @ArturMeinild also AIUI the intial CVE score is from the submitter and can be inflated by self-important security types for reputation. Take this CVE which had a score of *9.8* (!) for Vim of all things. At the time security folks at my company were going nuts about it, and then I read the bounty report, then ran the score calculator with what I felt were the right parameters and got 7.3 (close to the value it has now). – muru Jun 13 '23 at 15:05

1 Answers1

4

Your security team are likely relying specifically on scanner results, which are typically incorrect.

Ubuntu patches CVEs with patches cherrypicked and applied to the version in the Ubuntu repos and to my knowledge there are no CVEs that are not already patched in the packaging. Check the CVE tracker for more details, and have your 'security team' learn not to rely solely on their tools, and to actually check if the CVEs, etc. they're seeing reported are in fact patched. (This is why we use Rapid7 InsightVM to check all our systems' security with credentialed agent access at my employer).

Note that some CVEs are likely patched, while others don't apply, etc. so you and your sec team need to look up the specific CVEs on the tracker and see if the version of Ubuntu in use actually has a patch available. If it does, it'll list what version of the package has the patch. You can then check apt policy openssh-server and see what version of OpenSSH server is installed on the system. If it's older than the package version that's patched, you need to run updates on your systems.

(Disclaimer: I am an IT Security Professional by trade, and this 'misconception' of "you MUST upgrade to the latest OpenSSH or you're not safe!" is a notion that security teams need to stop adhering to, and they need to learn how the infrastructure actually works and gets updated.)

If you are dead set on updating to newer OpenSSH to fix this, then you need to manually compile OpenSSH and install it on those affected systems. This will not be trivial and is not easily documented here.

Thomas Ward
  • 74,764