• ×
    Information
    Need Windows 11 help?
    Check documents on compatibility, FAQs, upgrade information and available fixes.
    Windows 11 Support Center.
  • post a message
  • ×
    Information
    Need Windows 11 help?
    Check documents on compatibility, FAQs, upgrade information and available fixes.
    Windows 11 Support Center.
  • post a message
Guidelines
The Poly Phones Knowledge Base is live! We look forward to helping you with common issues and troubleshooting advice!
Locked

‎04-05-2017 08:15 AM

HP Recommended

Our VVX310's are running Dropbear Vulnerabilities is there a way to disable SSH in our provisioning server? We are on firmware 5.5.1.11526

 

 

Scan Information

Start time:

Thu Mar 23 10:16:53 2017

End time:

Thu Mar 23 10:17:24 2017

Host Information

IP:

  Results Summary

Critical

High

Medium

Low

Info

Total

1

0

0

0

3

4

Results Details 22/tcp  

93650 - Dropbear SSH Server < 2016.72 Multiple Vulnerabilities

[-/+]

Synopsis

The SSH service running on the remote host is affected by multiple vulnerabilities.

Description

According to its self-reported version in its banner, Dropbear SSH running on the remote host is prior to 2016.74. It is, therefore, affected by the following vulnerabilities :

- A format string flaw exists due to improper handling of string format specifiers (e.g., %s and %x) in usernames and host arguments. An unauthenticated, remote attacker can exploit this to execute arbitrary code with root privileges. (CVE-2016-7406)

- A flaw exists in dropbearconvert due to improper handling of specially crafted OpenSSH key files. An unauthenticated, remote attacker can exploit this to execute arbitrary code. (CVE-2016-7407)

- A flaw exists in dbclient when handling the -m or -c arguments in scripts. An unauthenticated, remote attacker can exploit this, via a specially crafted script, to execute arbitrary code. (CVE-2016-7408)

- A flaw exists in dbclient or dropbear server if they are compiled with the DEBUG_TRACE option and then run using the -v switch. A local attacker can exploit this to disclose process memory. (CVE-2016-7409)

See Also

https://matt.ucc.asn.au/dropbear/CHANGES

Solution

Upgrade to Dropbear SSH version 2016.74 or later.

Risk Factor

Critical

CVSS v3.0 Base Score

10.0 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

CVSS v3.0 Temporal Score

8.7 (CVSS:3.0/E:U/RL:O/RC:C)

CVSS Base Score

10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVSS Temporal Score

7.4 (CVSS2#E:U/RL:OF/RC:C)

References

BID

92970

BID

92972

BID

92973

BID

92974

CVE

CVE-2016-7406

CVE

CVE-2016-7407

CVE

CVE-2016-7408

CVE

CVE-2016-7409

XREF

OSVDB:142291

XREF

OSVDB:142292

XREF

OSVDB:142293

XREF

OSVDB:142294

Plugin Information:

Publication date: 2016/09/22, Modification date: 2016/12/06

Ports tcp/22


Version source : SSH-2.0-dropbear_0.51
Installed version : 0.51
Fixed version : 2016.74

3 REPLIES 3

‎04-10-2017 05:06 AM

HP Recommended

Hello technicholas,

welcome back to the Polycom Community.

I believe we are already looking into this and will correct this in a future version.


Please ensure to provide some feedback if this reply has helped you so other users can profit from your experience.

Best Regards

Steffen Baier

Polycom Global Services

------------------------------------------------
Notice: I am an HP Poly employee but all replies within the community are done as a volunteer outside of my day role. This community forum is not an official HP Poly support resource, thus responses from HP Poly employees, partners, and customers alike are best-effort in attempts to share learned knowledge.
If you need immediate and/or official assistance for former Poly\Plantronics\Polycom please open a service ticket through your support channels
For HP products please check HP Support.

Please also ensure you always check the General VoIP , Video Endpoint , UC Platform (Microsoft) , PSTN
Was this reply helpful? Yes No

‎04-28-2017 08:45 AM

HP Recommended

Anyone know the latest version suportted on VVX-300s without the vunerability? 

Was this reply helpful? Yes No

‎04-28-2017 09:15 AM

HP Recommended

Hello ,

welcome to the Polycom Community.

UC Software 5.4.6 is later than 5.5.1 but I assume only later releases will have this fix. I suggest to check the release notes.

Best Regards

Steffen Baier

Polycom Global Services

------------------------------------------------
Notice: I am an HP Poly employee but all replies within the community are done as a volunteer outside of my day role. This community forum is not an official HP Poly support resource, thus responses from HP Poly employees, partners, and customers alike are best-effort in attempts to share learned knowledge.
If you need immediate and/or official assistance for former Poly\Plantronics\Polycom please open a service ticket through your support channels
For HP products please check HP Support.

Please also ensure you always check the General VoIP , Video Endpoint , UC Platform (Microsoft) , PSTN
Was this reply helpful? Yes No
† The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.
Didn't find what you were looking for? Ask the community
† The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the <a href="https://www8.hp.com/us/en/terms-of-use.html" class="udrlinesmall">Terms of Use</a> and <a href="/t5/custom/page/page-id/hp.rulespage" class="udrlinesmall"> Rules of Participation</a>.