OpenSSH showing vulnerabilities. Could it be false-positive?
I am running Ubuntu 20.04.2 LTS and am using the system as a web server. I update the system on a regular basis.
I am trying to make sure my system is as secure as possible and have started to test the system. I ran a vulnerability scan on my system using NMAP. The results showed that there were some vulnerabilities in OpenSSH_8.2 and I was wondering if they were false-positives. The OpenSSH website says that the latest version is 8.6 but when I update my system, the repositories say that OpenSSH_8.2 is the most up to date version.
Do you build your own updates for packages? I was wondering since the OpenSSH_8.6 says it takes care of the vulnerabilities listed in the NMAP scan.
Thanks
EDIT***
Sorry I didn't give more info about what my situation was about. This is in response to some of the comments and answer. I haven't submitted this through Launchpad for the security team to look at because I believe this is something that OpenSSH has already posted alerts on their site about everything I found.
So, a little bit more background. I ran the NMAP scan on my own LAN. I scanned my Ubuntu server from another computer running Kali Linux. I have my Kali and Ubuntu computers hardwired into my router (ethernet). I have configured my computers and router to allow SSH connections from certain computers on my LAN and completely blocked to WAN.
Like I say, the computer I scanned is Ubuntu:
~$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 20.04.2 LTS
Release: 20.04
Codename: focalSSH Version:
~$ ssh -V
OpenSSH_8.2p1 Ubuntu-4ubuntu0.2, OpenSSL 1.1.1f 31 Mar 2020The command I used for scanning and results from said scan:
─$ sudo nmap -sV --script vuln 192.168.0.12
Starting Nmap 7.91 ( ) at 2021-05-24 21:13 PDT
Pre-scan script results:
| broadcast-avahi-dos:
| Discovered hosts:
| 224.0.0.251
| After NULL UDP avahi packet DoS (CVE-2011-1002).
|_ Hosts are all up (not vulnerable).
Nmap scan report for 192.168.0.12
Host is up (0.00016s latency).
Not shown: 995 filtered ports
PORT STATE SERVICE VERSION
20/tcp closed ftp-data
21/tcp closed ftp
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| vulners:
| cpe:/a:openbsd:openssh:8.2p1:
| EDB-ID:21018 10.0 *EXPLOIT*
| CVE-2001-0554 10.0
| CVE-2020-15778 6.8
| CVE-2020-12062 5.0
| CVE-2021-28041 4.6
| MSF:ILITIES/OPENBSD-OPENSSH-CVE-2020-14145/ 4.3 *EXPLOIT*
| MSF:ILITIES/HUAWEI-EULEROS-2_0_SP9-CVE-2020-14145/ 4.3 *EXPLOIT*
| MSF:ILITIES/HUAWEI-EULEROS-2_0_SP8-CVE-2020-14145/ 4.3 *EXPLOIT*
| MSF:ILITIES/HUAWEI-EULEROS-2_0_SP5-CVE-2020-14145/ 4.3 *EXPLOIT*
| MSF:ILITIES/F5-BIG-IP-CVE-2020-14145/ 4.3 *EXPLOIT*
| CVE-2020-14145 4.3
|_ MSF:AUXILIARY/SCANNER/SSH/FORTINET_BACKDOOR/ 0.0 *EXPLOIT*
80/tcp open http Apache httpd
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-server-header: Apache
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
443/tcp open ssl/http Apache httpd
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-server-header: Apache
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_sslv2-drown:
MAC Address: 00:15:C5:F6:5D:94 (Dell)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 75.19 secondsI was wondering if I had anything to worry about. I am also curious about the sslv2-drown in my Apache setup. I do use both http and https for my websites and have ports 80 & 443 accessible from WAN.
Any help would be appreciated.
11 Answer
Ubuntu releases, especially Long-term support (LTS) releases, do not update major versions of packages in order to maintain the contract with compatibility with software.
Ubuntu does still focus on hardening functionality of existing features, and they will backport security fixes.
While there is not enough information from the original post as to what vulnerabilities NMAP is detecting or how it is deciding the version of sshd you are using are subject to them, most likely it is purely based on the reported version number.
If you look at the output of dpkg -l | grep -i openssh you will see the actual package number will probably be the latest shown on this change log. Notice how the security updates have been back-ported without incrementing the major minor version number.
As of when I am writing this, here is the last change entry.
openssh (1:8.2p1-4ubuntu0.2) focal-security; urgency=medium
- SECURITY UPDATE: double-free memory corruption in ssh-agent
- debian/patches/CVE-2021-28041.patch: set ext_name to NULL after freeing it so it doesn't get freed again later on in ssh-agent.c.
- CVE-2021-28041
-- Marc Deslauriers Tue, 09 Mar 2021 09:17:50 -0500
Note the 4ubuntu0.2 portion of the version.
4 = Upstream Debian Version 0.2 = Ubuntu version of the Debian package
Most likely nmap is reporting "OpenSSH 8.2 (protocol 2.0)" and alerting simply on that information it discovered during detection and is not detecting an actual vulnerability but as we do not know exactly what nmap command you ran we do not know.
As an OpenSSH server reports its version to clients to work around changed, buggy or missing features in specific versions, Ubuntu cannot change that version number even when they do back-port security fixes.
0
