This is a common vulnerability found on TrustWave PCI compliance scans that many of our clients are required to get. This is because our servers are running Redhat Enterprise Linux. Redhat doesn't usually update the versions of software installed and instead chooses to patch the existing version with code that fixes notable vulnerabilities. This means that their automated system produces false positives.
We normally need to make an appeal on a client by client basis to fix this type of vulnerability. Below are the steps necessary to provide a successful appeal.
- The first step is to login to the client's TrustWave control panel. You'll need to locate the the most recent scan results, usually by clicking on "Scan Results" in the left navigation menu.
- Click on the vulnerability in question and in the vulnerability details pane at the bottom of the screen should be a button titled "Dispute".
- Click the "Dispute Finding" to activate the pop-up window
- You'll need to select a reason, enter a title, and provide a supporting comment
For vulnerability "OpenSSH < 4.4 Multiple Vulnerabilities" enter the following details:
- Reason: I have a compensating control in place
- Title: This should be pre-populated, but change as necessary
- Comment: We are running Red Hat Enterprise Linux Server release 5.5 (Tikanga). According to vulnerability summary CVE-2006-5051/CVE-2006-5052 and Red Hat Security Advisory RHBA-2007:0462-2/RHEA-2010:0511-1, the package "openssh-3.9p1-11" fixes the problem. This server runs patch level "4.3p2-72" which includes the necessary security fixes.