Reset Search
 

 

Article

SSH vulnerabilities reported on the ExtremeWireless appliance using the Qualys Guard Scanner.

« Go Back

Information

 
TitleSSH vulnerabilities reported on the ExtremeWireless appliance using the Qualys Guard Scanner.
Symptoms
SSH vulnerabilities reported on the ExtremeWireless appliance using the Qualys Guard Scanner.
Environment
  • All ExtremeWireless appliances.
  • All ExtremeWireless Access Points.
  • Firmware 10.41.12.0006.
Cause
Vulnerabilities found during the scan, and one not yet resolved in our firmware.
Resolution
  • CVE-2018-15473 - addressed under an internal PR:
    • Resolution will be in 10.51.02.
  • CVE-2016-10012 - not applicable (Local attacker only and only with certain optimizing compilers)
  • CVE-2016-10011 - not applicable (The description seems to say it is a non issue in practice and local attacker only)
  • CVE-2016-10010 - not applicable (UsePrivilegeSeparation is enabled (the default) which makes it irrelevant)
  • CVE-2016-10009 - not applicable (ssh-agent is not in use)
  • CVE-2016-8858 - not an issue (OpenSSH upstream does not consider this as a security issue)
    • openssh shipped with V10.51 shouldn't be flagged by this issue
  • CVE-2016-0778 - patched since V10.11
  • CVE-2016-0777- patched since V10.11
  • CVE-2016-3115 - not applicable (The system has X11Forwarding disabled)
    • openssh shipped with V10.51 shouldn't be flagged by this issue
  • CVE-2015-6564 - patched since V10.11
  • CVE-2015-6563 - patched since V10.11
  • CVE-2015-5600 - patched since V10.11
  • The 2015 issues may have been a false hit from the scan, but all our firmware from 10.11 have had this fix.
  • The 2016 have either been already fixed, or will not be a problem with the new openSSH client in 10.51.xx. At this time, there are no plans to backport the new SSH client into 10.41.xx.
  • Finally, the 2018 issue is the only one currently not resolved in any firmware, but will be fixed in the upcoming 10.51.02 Maintenance Release.
Additional notes
Release Note: wns0022038 Addressed Potential Vulnerability of Controller in CVE-2018-15473.

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255