Conversation

Email received a few days ago: "We need to know which version of SSH is installed on the server, as we want to ensure it is not vulnerable to external attacks." My response: "Don’t worry, SSH is accessible ONLY via VPN, and I am the only one with access to that VPN—activated only when needed—so there is no way for there to be any issues, regardless of the version used."

Email received this morning: "We’re not interested; you must provide the SSH version installed and, if it's not the latest, ensure us of the update date."
My response: "Sorry, could you explain the rationale? SSH is not exposed, it’s not listening on any public IP."
Their reply: "Provide the version."
My response: "OpenSSH_9.7, LibreSSL 3.9.0, on OpenBSD."
Their reply: "This is not considered secure. It must be OpenSSH_9.2p1 Debian-2+deb12u3."
My response: "It’s not Debian; it’s OpenBSD."
Their reply: "So the systems are insecure."

And they claim to be a cybersecurity company...

13
6
5

@stefano reads like a scary pasta. Maybe your are making with an llm?

0
0
0

@stefano

BTW, which cybersecurity company? :)

0
0
0

@stefano lol, they always tell me that my distro version of ssh is out of date bc their dumb scanner (and evidentially the security genius pressing the scan button and forwarding me the report) doesn't know what a back-ported patch is.

network security is such a weird industry, so many amazing and talented ppl on mastodon... never have i encountered one at $DAY_JOB.

0
0
0

@stefano "It's not on the form, Stefano! If it's not on the form, it's not secure."

0
0
0

@stefano

> if it's not the latest, ensure us of the update date

OpenSSH 9.2 was released on 2023-02-02. Have THEM confirm when they will update to the latest version.

0
0
0

@stefano Not even getting the glibc based Linux distro dependency.
That is not vulnerability management but a prime example of a fool with a tool.

0
0
0

@stefano Is this PCI DSS by any chance?

1
0
0

@steve no, it's just a client's external "cybersecurity agency". No PCI-DSS involved

1
0
0

@stefano Ah, we forever have problems with PCI DSS compliance scanner companies. e.g. failure to accept that a "user enumeration bug" in SSH is not really a security problem when:
1. OpenSSH refuse to accept that it is a security problem;
2. RedHat refuse to accept that it is a security problem (and therefore won't release a fix); and
3. The only user with a shell account is root, so even if enumeration is a problem, all you can do is tell that a Linux box has a root account (well, duhh).

1
0
0

@steve "Paper" tech world and real tech world are so distant...

1
0
0

@stefano It actually really winds me up that these companies collect money from our customers and then basically libel us by telling the customer that our products are insecure. And then it's down to us to "prove" that they aren't instead of them having to prove that they aren't talking BS.

2
0
0

@steve Yes, that's a big problem. Some clients (not this one) are really worried by those results and those companies know it. Even if they trust us, they're worried we can have "missed" something as those companies are "specialized" in security.

1
0
0

@stefano I must admit that most customers seem to think that PCI DSS scans are a waste of time and money and would probably be happy for it to just lie to the certifier (but we don't do that!). Its one of those hoops that people have to jump through if they take card payments (quite why having a card payment machine on your wifi requires any kind of security from your network is a mystery - surely these things should be hardenned?)

0
0
0
@stefano VersionAddendum "OpenSSH_9.2p1 Debian-2+deb12u3"
0
0
2

@stefano Several years ago I encountered something similar. Got a notification from the security company that their internal scans had identified an insecure version of OpenSSH on the network. After a bit of poking, my team identified the host in question. It was the security company's OWN APPLIANCE.

We promptly turned the device off and stopped paying them.

1
0
0

@stefano @noahm Reminds me of the time I had a client's entire network go down because of a WAF/IDS that OOM'd due to buggy firmware while doing a pentest of a host behind it.

0
0
0