Several CVE not detected for older CPEs: Dropbear SSH

CVE-2016-7406 to 7409 are all vulnerabilities in Dropbear SSH prior to version 2016.74

The CPE affected only shows as 2016.73 not all prior releases, so older versions show up as “No CVEs found” and so the NVTs don’t flag up issues for affected targets. Is this a generc problem that when CVEs are announced that affect all previous versions, that is not handled by Greenbone, or is this just an error in the way these particular CVEs set up?

I’m not sure if i have fully understood the question but still hope my answer could help:

All Dropbear SSH VTs have a low QoD (Quality of Detection) value because this software is covered by “backports” in most Major Linux Distributions and a remote version check is thus unreliable (as it is not possible to determine the backported patch status of most software remotely).

If you are missing vulnerability reports of VTs for older CVEs in your report please make sure to adjust the QoD filter to a lower value accordingly. Please be aware that when doing so more possible false positives in your report are showing up due to the previously mentioned unreliability / lower quality of the detection.

More information on the QoD concept is available here:

https://docs.greenbone.net/GSM-Manual/gos-21.04/en/reports.html#quality-of-detection-concept

2 Likes

I agree the CVE entries for CVE-2016-7406 to 7409 should show all older CPEs, not just cpe:/a:dropbear_ssh_project:dropbear_ssh:2016.73.
The NVT " Dropbear SSH < 2016.74 Multiple Vulnerabilities" however is already testing for all affected CVEs. It’s not influenced by the missing CPE entries in the GSM’s CVE database.

I will see what can be done about the CVE entries, thanks for the heads up.

4 Likes

Hi cfi,

Thank you, this is the second time the QoD has bitten me :dizzy_face:. Tino, thanks for your answer, I was just going to explain that I would still expect it to show up against the CPE, but I can confirm it does correctly show as a vulnerability in scan reports if I drop the QoD to 0. I think I’m going to globally change my QoD threshold to 0 in future for any Linux scans because I would rather have a false positive which my admins can override, than I would miss a critical vulnerability.

Many thanks both of you for your helpful replies.

1 Like