OpenSSH update to avoid multiple medium security vulnerabilities
CVE | CVE-2020-15778, CVE-2018-15473, CVE-2021-28041, CVE-2021-41617, CVE-2020-14145 |
Advisory Summary | OpenSSH update to avoid multiple medium security vulnerabilities |
Products or Components | 8000, 9000 and RideSafe GT/MT/RT |
Addressed in Release | Patch 41107 R1.0 for 5.24.0.0067 (GA) and 5.24.0.1001 (SP1) |
Severity | Medium |
Ticket | ESC-883 |
Description
This issue is related to 8000, 9000 and RideSafe (GT, MT & RT) Series recorders (R5) SSH service, used for provisioning the recorder. A security patch is now available to cover multiple medium severity vulnerabilities, related to the OpenSSH version that was in use up to 5.24.0.0067 (GA) and 5.24.0.1001 (SP1) versions included.
Please note that this patch updated both OpenSSH and the OpenSSL version used with it, and that the OpenSSL license of this version changed to the Apache License v2.
Impact
The list of relevant vulnerabilities is:
- CVE-2020-15778 CVSS Score 6.8. Command injection over scp. On R5, this vulnerability is mitigated by the need to authenticate as the provisioning interface user, and by the fact that the provisioning interface user environment have limited access to the system.
- CVE-2018-15473 CVSS Score 5. User account enumeration. On R5, this vulnerability is mitigated by the presence of a unique provisioning interface user, with a known username. There is nothing to enumerate.
- CVE-2021-28041 CVSS Score 4.6. ssh-agent memory double free may lead to information disclosure. On R5, this vulnerability is mitigated by the fact that the provisioning interface user environment have limited access to the system.
- CVE-2021-41617 CVSS Score 4.4. privilege escalation in non-default configuration. On R5, this vulnerability is mitigated by the fact that the provisioning interface user is unique.
- CVE-2020-14145 CVSS Score 4.3. potential man in the middle attack. There are no mitigations for this vulnerability, aside from avoiding using the provisioning interface or using it only inside a trusted environment.
Solution
Update R5 recorders using either 5.24.0.0067 (GA) or 5.24.0.1001 (SP1) with the 41107 R1.0 patch. Future releases of R5 will not be affected by the issues. For older releases, limit the usage of the provisioning interface only when necessary, and only in a trusted environment. To completely disable the provisioning interface, if desired, contact our technical support.
In case R5 recorders are managed under Command Enterprise, please remind customers that 2.16 is the minimum version that support R5 recorders at 5.24.0.0067 (GA) or 5.24.0.1001 (SP1).
Downloads
Visit our Partner Portal to download the 41107 R1.0 patch.
Revision
May 10, 2023 – Initial public report
Disclaimer
March Networks’ assessment of this security vulnerability is contingent on the March Networks products being updated to the recommended release and/or security patch level and that the system has been deployed and configured, in accordance to March Networks security recommendations and industry best practices. IT IS THE CUSTOMER’S RESPONSIBILITY TO EVALUATE THE EFFECT OF ANY SECURITY VULNERABILITY. A failure to update March Networks products and/or to follow March Networks recommendations or industry best practices may increase the risk associated with a security vulnerability. March Networks follows industry leading practices in addressing security vulnerabilities in our products. While March Networks cannot guarantee that our products will be free from security vulnerabilities, we are committed to providing updates and security fixes, for our supported products, if and when a high security vulnerability is determined to affect March Networks products.