PCI complience with openssh package

Question

I am in a situation where we are doing internal PCI scans and one server that is in the scope is a Ubuntu Server 16.04.2 LTS. The latest package for openssh-server is OpenSSH_7.2p2 showed with command ssh -V. The PCI is complaining with some new CVE Bugs/Vulnerabilities

CVE-2016-10009
CVE-2016-10010
CVE-2016-10011
CVE-2016-10012

All of these shows as "needed" when looking at http://people.canonical.com/~ubuntu-security/cve/

As I am pretty new to PCI compliance and scans I wondering how I should proceed to get passed here. I have tried upgrading to OpenSSH 7.5 manually. Though the ssh -V command shows 7.5 the scan is not picking that up and thinks I using 7.2 still. Am i missing something here regarding my manual upgrade and why does my scan program still think that I am using 7.2? And if I cannot upgrade it manually and needs to rely on the backports released in the future, can I argument to pass the internal scan based on that?

Answer 1

I was having the exact same issue.

I solved this by using wget to grab the openssh 7.5 debian packages from here:

https://packages.debian.org/search?keywords=openssh-client

https://packages.debian.org/search?keywords=openssh-server

Then using dpkg -i to install them.

To double check the ssh version exposed to the outside world you can use ssh -v when logging into the server.

This shows verbose output and should contain a line detailing the version number of the ssh daemon running on the server.

e.g. debug1: match: OpenSSH_7.5p1 Debian-2 pat OpenSSH* compat 0x04000000

About to re-run my PCI scan, fingers crossed!

Answer 2

All four bugs are fixed in the 17.04 version of the package.

You can try backporting the 17.04 version of the package to your 16.04.2 system.

You can replace your 16.04.2 system with 17.04.

Obviously, you should test any changes in a VM first!

Since 17.04 has been released, you can also request an SRU of the fixes to 16.04. They might do it - PCI compliance is important.