Dimitry- Thanks for your response. You have been very helpful. I agree with your statement relating to the version determination. I will await if the maintainer has any response before formulating my next action.
If necessary, I can take this information you provided back to Tenable team and try to make the case that Tenable needs to change it's method or get an exception. Best Regards, Ted Summers From: Dimitry Andric <dimi...@unified-streaming.com> Sent: Wednesday, March 5, 2025 11:50 AM To: SUMMERS, TED <ted.summe...@hp.com> Cc: cygwin@cygwin.com Subject: Re: Cygwin OpenSSH version detection by Tenable CAUTION: External Email In my opinion, it is wrong that scanners rely on this information. :-) But putting that discussion aside, the openssh-portable distribution does not announce its "patch level" in its version banner by default. See e.g. https://github.com/openssh/openssh-portable/blob/master/version.h<https://github.com/openssh/openssh-portable/blob/master/version.h>, where SSH_VERSION is defined as "OpenSSH_9.9", while SSH_PORTABLE is defined as "p2". In https://github.com/openssh/openssh-portable/blob/master/ssh_api.c#L430<https://github.com/openssh/openssh-portable/blob/master/ssh_api.c#L430> you can see that the _ssh_send_banner() function only advertises the SSH_VERSION value, not the SSH_PORTABLE value. Now, various Linux distributions apply custom patches on top of the stock openssh-portable package to add additional information, for example Debian (and Ubuntu which sources its packages from there) has: https://salsa.debian.org/ssh-team/openssh/-/blob/master/debian/patches/package-versioning.patch?ref_type=heads<https://salsa.debian.org/ssh-team/openssh/-/blob/master/debian/patches/package-versioning.patch?ref_type=heads> I guess something similar could be done in the Cygwin package. This is up to the Cygwin maintainers of course. -Dimitry > On 5 Mar 2025, at 20:30, SUMMERS, TED via Cygwin > <cygwin@cygwin.com<mailto:cygwin@cygwin.com>> wrote: > > Dear list member(s), > > I've reviewed the list archives for the last two months since subcomponent > release, and googled, but didn't find an answer for my question. > > I'm encountering an issue with Tenable detecting a difference in version in > our security scans indicating that OpenSSH is still at a vulnerable version. > Even though I have openssh 9.9p2-1 installed, some query methods show the > version only as OpenSSH 9.9. > IF I login to my Cygwin installation and perform "ssh -V" I receive the > expected correct up-to-date values in the response: > OpenSSH_9.9p2, OpenSSL 3.0.16 11 Feb 2025 > > However Tenable is performing a non-authenticated query against ssh that > returns OpenSSH 9.9 (without the p2 appended to the end). > Then Tenable flags systems for remediation of what it detects as a vulnerable > version. > > If I initiate a command "ssh -vv <host ip>" I can see the string where it > reports the following: > debug1: Remote protocol version 2.0, remote software version OpenSSH_9.9 > > I can also get this information via nmap or netcat (nc) > Nmap (v7.94) returns: > 22/tcp open ssh OpenSSH 9.9 (protocol 2.0) > > # nc <ip address> 22 > SSH-2.0-OpenSSH_9.9 > > Is there a file that I can manipulate to resolve this, or can a new openssh > package build be made that fixes the version output in response to these > other query methods used by security scanners? > > I look forward to any response or guidance. > > Respectfully, > Ted Summers > > > > > > > -- > Problem reports: > https://cygwin.com/problems.html<https://cygwin.com/problems.html> > FAQ: https://cygwin.com/faq/<https://cygwin.com/faq> > Documentation: https://cygwin.com/docs.html<https://cygwin.com/docs.html> > Unsubscribe info: > https://cygwin.com/ml/#unsubscribe-simple<https://cygwin.com/ml/#unsubscribe-simple> -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation: https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
