I'm working on shoring up some vulnerabilities in our environment, and one of them is that we're on OpenSSH 8.9. Our security team has advised us to upgrade to 9.3, but I'm not seeing anything indicating this package is available for Ubuntu 22.04. Is there any way to upgrade to that version?
Asked
Active
Viewed 5.4k times
2 Answers
8
Your security team are likely relying specifically on scanner results, which are typically incorrect.
Ubuntu patches CVEs with patches cherrypicked and applied to the version in the Ubuntu repos and to my knowledge there are no CVEs that are not already patched in the packaging. Check the CVE tracker for more details, and have your 'security team' learn not to rely solely on their tools, and to actually check if the CVEs, etc. they're seeing reported are in fact patched. (This is why we use Rapid7 InsightVM to check all our systems' security with credentialed agent access at my employer).
Note that some CVEs are likely patched, while others don't apply, etc. so you and your sec team need to look up the specific CVEs on the tracker and see if the version of Ubuntu in use actually has a patch available. If it does, it'll list what version of the package has the patch. You can then check apt policy openssh-server and see what version of OpenSSH server is installed on the system. If it's older than the package version that's patched, you need to run updates on your systems.
(Disclaimer: I am an IT Security Professional by trade, and this 'misconception' of "you MUST upgrade to the latest OpenSSH or you're not safe!" is a notion that security teams need to stop adhering to religiously, and they need to learn how the infrastructure actually works and gets updated with regards to the specific systems they maintain. This is a known gripe / issue in the ITSec world, but it's one that a little extra research would help resolve in most circles.)
If you are dead set on updating to newer OpenSSH to fix this, then you need to manually compile OpenSSH and install it on those affected systems. This will not be trivial and is not easily documented here.
Thomas Ward
- 78,878
4
To Install the vulnerability patched ssh server 9.8p1 on Ubuntu:
download it:
wget https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.8p1.tar.gz
Remove the existing install:
sudo systemctl stop sshd
sudo apt-get remove openssh-server openssh-client
Install the build tools:
sudo apt update
sudo apt install -y build-essential zlib1g-dev libssl-dev libpam0g-dev libselinux1-dev libwrap0-dev libedit-dev libbsd-dev autoconf automake libtool pkg-config wget curl git
Untar it, build it:
tar zxvf openssh-9.8p1.tar.gz
cd openssh-9.8p1
./configure
make
sudo make install
Setup the service:
sudo nano /etc/systemd/system/sshd.service
Paste this into the file:
[Unit]
Description=OpenSSH server daemon
After=network.target
[Service]
ExecStart=/usr/local/sbin/sshd -D
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
Restart=on-failure
[Install]
WantedBy=multi-user.target
Save and close (ctrl+x y enter)
Reload the daemon, start and enable the service:
sudo systemctl daemon-reload
sudo systemctl start sshd
sudo systemctl enable sshd
Now I had problems at this point, but all I needed to do was unmask ssh:
sudo systemctl unmask ssh
Then repeat the daemon-reload, start and enable
Check the status:
sudo systemctl status sshd
All done!
Michael Sims
- 149