Question OpenSSH vulnerability?

[wildeeep]

Server operating system version

Ubuntu 20.04.6 LTS

Plesk version and microupdate number

18.0.58

Hi!. have just had a security scan done on my server as part of a compicance survey and they reported the following:

OpenSSH 8.2p1 Ubuntu-4ubuntu0.11 has a well-known and highly visible security vulnerability. Services with known and highly visible security vulnerabilities can be specifically targeted and exploited by hackers. This service should be updated to the latest version. Refer to the OpenSSH website for further details. This service is using port 22 on IP address xxxx

is this something to be concerned about and can it be updated?

 

[lemoneye]

We have the same issue flagged.

Description
The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.)

NOTE: this issue exists because of an incomplete fix for CVE-2016-10009.

Detected openbsd openssh version 8.9p1

Solution
Update to the latest version.

What can we do to mitigate this, please?

 

[Farfalk]

Hi, this is still true as of Plesk Obsidian 18.0.76 Update #6!
Sorry, usually i'm very happy about plesk, but this is unacceptable. Have you got a timeline to fix this?

 

[Farfalk]

I'm sorry, my report is wrong. The version in Plesk Obsidian 18.0.76 Update #6 is
"""
openssh-client – 1:8.9p1-3ubuntu0.15
openssh-server – 1:8.9p1-3ubuntu0.15
"""
that means the issue is solved, as reported in USN-8222-1: OpenSSH vulnerabilities | Ubuntu security notices | Ubuntu

 

[lemoneye]

Hi!. have just had a security scan done on my server as part of a compicance survey and they reported the following:

OpenSSH 8.2p1 Ubuntu-4ubuntu0.11 has a well-known and highly visible security vulnerability. Services with known and highly visible security vulnerabilities can be specifically targeted and exploited by hackers. This service should be updated to the latest version. Refer to the OpenSSH website for further details. This service is using port 22 on IP address xxxx

is this something to be concerned about and can it be updated?

This is dependent on the version of Ubuntu that you are running, and Ubuntu 20 has vulnerabilities from OpenSSH 8.2 and onwards. Ubuntu 24 still has some OpenSSH issues flagged, but you can demonstrate mitigation against these by making sure that you have the appropriate settings on your server. If you visit openssh.com you can find out more about the vulnerabilities, andcan then take appropriate action, or demonstrate to a pen tester that there is mitigation.

For example on this issue - NVD - CVE-2023-38408 (nist.gov) - having Agent Forwarding disabled is enough to mitigate this vulnerability.

Given that you are on quite an old OS with Ubuntu 20, you might need to consider updating that first.

As to concern - this is really down to clients. Most of these vulnerabilities are highly unlikely scenarios, but if the client deems them unacceptable then you have to deal with them.

 

[lemoneye]

I'm sorry, my report is wrong. The version in Plesk Obsidian 18.0.76 Update #6 is
"""
openssh-client – 1:8.9p1-3ubuntu0.15
openssh-server – 1:8.9p1-3ubuntu0.15
"""
that means the issue is solved, as reported in USN-8222-1: OpenSSH vulnerabilities | Ubuntu security notices | Ubuntu

As I just replied to wildeep, this is not a Plesk issue, it is something controlled at OS level, so these are security issues with Ubuntu. The version of Plesk isn't relevant. Plesk only takes updates from official repositories, so you may need to update your server OS, depending which version of Ubuntu you're running, and even if you are on 24, there are still some listed OpenSSH vulnerabilities.