PCI DSS compliance issues with SSH

effieross

My client is concerned because they got some SSH issues flagged in a PCI DSS compliance audit. Specifically, there were the following issues:

OpenSSH < 9.3p2 Vulnerability - CVE-2023-38408
SSL Medium Strength Cipher Suites Supported (SWEET32) - CVE-2016-2183
SSL 64-bit Block Size Cipher Suites Supported (SWEET32) - CVE-2016-6329
The remote host is running a database server that is reachable from the Internet. This violates PCI DSS, section 1.3.7.
The remote host is running a database server that is reachable from the Internet. This violates PCI DSS, section 1.3.7.
OpenSSH 6.2 < 8.8 - CVE-2021-41617
OpenSSH < 9.9p2 MitM - CVE-2025-26465
OpenSSH < 9.6 Multiple Vulnerabilities - CVE-2023-51385, CVE-2023-48795, CVE-2023-51384
OpenSSH < 10.0 DisableForwarding - CVE-2025-32728

I'm not sure how to resolve these in Opalstack. Can someone advise?

sean

effieross the majority of the items you mentioned are already resolved:

CVE-2023-38408: patched via backports
CVE-2016-2183: patched via backports
CVE-2016-6329: OpenVPN bug, not affected
"The remote host is running a database server that is reachable from the Internet. This violates PCI DSS, section 1.3.7." - we run with database ports open due to customer demand. If you migrate to VPS we can close those ports for you. Note that we disable external access to your databases by default - for authentication to work from a remote IP you must explicitly enable it for your database user.
CVE-2021-41617: patched via backports
CVE-2025-26465: mitigate this in your SSH client config with VerifyHostKeyDNS no.
CVE-2023-51385: user can mitigate by using SSH correctly, ie "The ability to execute OS commands is dependent on what quoting is present in the user-supplied ssh_config directive. However, it is generally the user's responsibility to validate arguments passed to SSH."
CVE-2023-48795: mitigated via local config
CVE-2023-51384: not affected
CVE-2025-32728: we're waiting on a patch from the OS vendor

effieross

Thank you. I understand that these vulnerabilities have been addressed. However, my client is getting flagged by SecurityMetrics which is saying her site is not compliant. Is this an issue, or can she ignore it?

sean

effieross if your client passes the information that I've provided along to SecurityMetrics then they should be able to pass her.