SSH version in ALOM 1.6.3
We are using Nessus 3.0.5 build W313 with all standard plug-ins in order to verify the security of our system (Netra 210, Netra 440).
This tool is complaining that the SSH version contained in ALOM 1.6.3 is older than 3.1.
Here is the Nessus report:
You are running a version of OpenSSH which is older than 3.1.
Versions prior than 3.1 are vulnerable to an off by one error that allows local users to gain root access, and it may be possible for remote users to similarly compromise the daemon for remote access.
In addition, a vulnerable SSH client may be compromised by connecting to a malicious SSH daemon that exploits this vulnerability in the client code, thus compromising the client system.
Solution: Upgrade to OpenSSH 3.7.1 or newer
1. How can I verify the version of SSH available in ALOM?
2. ALOM 1.6.5 would fix it? If not, how can I upgrade just SSH for ALOM?
[929 byte] By [
gtaubea] at [2008-2-19]
Sun's SSH may have been originally derived from an old version of OpenSSH, but its mutated a lot since then and includes a lot of their fixes.
So I would be surprised if the warning was valid.
Still they have changed the SSH identification string for the OS based SSH server, and they havent bothered to do the ALOM ssh server. So its possible that not all the fixes in the OS version have made it into the ALOM.
But no, theres no way of updating the ssh in the ALOM save updating the ALOM firmware.
So you can try 1.6.5 but I don't remember anything SSH related in the changelog. So chances are its not going to change anything.
If you really worried and have a sun service contract you can try opening a job.
But I suspect the warning is bogus, so I'd just ignore it.
We still use telnet to connect to our ALOM's but firewalls lock down the machines allowed to connect to just the local subnet.
Which I would suggest is good practice anyway. So SSH vulnerabilities should be more or less moot.
