[Bug 1794629] Re: CVE-2018-15473 - User enumeration vulnerability
@seth-arnold, You are talking about a different type of vulnerability scanning that is not part of the Qualys service in question (External vulnerability scan, "black box" scan methodology). PCI DSS also mandates regular internal scans and penetration tests. Qualys, as well as other vendors provides such services. As for determining package version directly vs. by version banner, I don't see any difference *in this case* as by default full ubuntu- specific package version is displayed in SSH version banner and Qualys requires users not to interfere with the scanning. The issue that @root(mysky) has stems from the fact that Qualys is usually very fast when including a vulnerable product in their detector but sometimes slow to exclude fixed versions as in this case. This isn't a big deal as they have False Positive Report mechanism that allows a live service representative to asses the situation and allow your system to pass even if the automatic scanner detects a non-existent vulnerability. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1794629 Title: CVE-2018-15473 - User enumeration vulnerability To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1794629/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1794629] Re: CVE-2018-15473 - User enumeration vulnerability
@Seth Arnold, Qualys automated vulnerability scanner is not supposed to do any penetration testing, including vulnerability exploitation attempts as it is ran unattended so must not create any risks of DoS. Trying to exploit some vulnerabilities can jeopardize production systems. This way, such non-intrusive scans are by definition limited to sending completely legitimate requests, checking the responses and then analyzing them based on a vulnerability database. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1794629 Title: CVE-2018-15473 - User enumeration vulnerability To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1794629/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1794629] Re: CVE-2018-15473 - User enumeration vulnerability
@root (mysky), You don't need any scripts. Referring to a vendor's documentation (https://usn.ubuntu.com/3809-1/ in this case) is usually enough. See also: https://pci.qualys.com/static/help/merchant/false_positives/submit_false_positive_requests.htm -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1794629 Title: CVE-2018-15473 - User enumeration vulnerability To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1794629/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1794629] Re: CVE-2018-15473 - User enumeration vulnerability
@root (mysky), Qualys is slow to fix their detection algorithm. You just need to provide them with False Positive report citing the vendor documentation (https://usn.ubuntu.com/3809-1/). Faking software version is the last thing someone should do to be PCI DSS compliant. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1794629 Title: CVE-2018-15473 - User enumeration vulnerability To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1794629/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs