Nessus reports this as Critical however there are issues such as 'CVE-2015-5600' that CVE is 8.5 but Red Hat reports it as a 'Low' issue. https://access.redhat.com/security/cve/CVE-2015-5600 Reports it as 'Low' Impact. More over I dont understand why Red Hat says that is not affected from most of the OpenSSH vulnerabilities - any explanation ? For example --> https://access.redhat.com/security/cve/CVE-2016-1907 this doesnt affect Red Hat products... What are they doing differently ?
Asked
Active
Viewed 1,299 times
1 Answers
2
CVE-2015-5600: MaxAuthTries limit bypass via duplicates in KbdInteractiveDevices
This vulnerability has low impact on RHEL, because by default the option ChallengeResponseAuthentication is disabled in default configuration. Though it is or will be fixed in RHEL 6 and 7.
CVE-2016-1907: openssh: out-of-bounds read in packet handling code
This one does not affect RHEL systems, because the bug was introduced in openssh-6.8 (RHEL 7 ships openssh-6.6.1p1) as comment to the related bug.
Also other vulnerabilities can be similarly explained (usually because the the bug was introduced recently). Openssh is quite secure and breaking through all the levels of security needs a lot of effort.
Disclaimer: I work for Red Hat.
