topic Re: openSSH version 9.8 or later in PAN-OS in Next-Generation Firewall Discussions

openSSH version 9.8 or later in PAN-OS

RVizcarra — Thu, 03 Apr 2025 05:26:15 GMT

Hi Guys,

Hope you are all doing well.

Just wanted to confirm which PAN-OS currently has an openSSH 9.8 version or later?

Following this kb article: How to check the OpenSSH version the PAN-OS device is using - Knowledge Base - Palo Alto Networks

I did try to check it on Palo Alto networks OSS Licenses, however seems like the most updated PAN-OS that is listed there is only 11.0 and the openSSH version for that is only 8.0
PAN-OS 11.0 OSS Listing

my current version is on 10.2.x and planning to upgrade it as recommended on the VAPT assessment to upgrade the openSSH into 9.8version or later.

PA model: PA-820

Thanks

Re: openSSH version 9.8 or later in PAN-OS

TomYoung — Thu, 03 Apr 2025 15:56:51 GMT

Hi @RVizcarra ,

I recently had a VAPT (internal) like you, and ran across the same issue. There appears to be quite a few vulnerabilities with the current version of OpenSSH in PAN-OS. https://www.cybersecurity-help.cz/vdb/openssh/openssh/8.0p1/

I would like PANW to update the URL you provided to add PAN-OS 11.1 and 11.2.

This thread was also useful https://live.paloaltonetworks.com/t5/next-generation-firewall/openssh-verification-and-upgrade/td-p/578427 because it provides (1) and easy test and (2) the PANW PSIRT email to which you can ask them about the vulnerabilities.

Thanks,

Tom

Re: openSSH version 9.8 or later in PAN-OS

TomYoung — Tue, 08 Apr 2025 01:49:30 GMT

Hi @RVizcarra ,

I sent an email to psirt@paloaltonetworks.com and I got the following response:

PAN-OS runs a custom build of OpenSSH, so the version number does not necessarily correspond with applicable OpenSSH CVEs. This OpenSSH build receives regular security updates. You may find some information about the reported CVEs in our informational advisories. You can try the query feature of the security advisories site: https://security.paloaltonetworks.com/?q=<CVE> (replace <CVE> with the id of the CVE you are looking for, for eg: https://security.paloaltonetworks.com/?q=CVE-2024-1234). If there are any CVEs you are concerned about that is not mentioned in the advisories, please let us know - so that we can investigate further.

That was very helpful! So, I took the list of OpenSSH 8.0p1 CVEs (in my 1st thread) and search for each one in the tool provided above. Here are the results:

OpenSSH 8.0p1 Advisory	Severity	CVEs	CWEs	PANW Advisory	Impact
Multiple vulnerabilities in OpenSSH	Medium	CVE-2023-6004	CWE-78
		CVE-2023-48795	CWE-326	https://security.paloaltonetworks.com/CVE-2023-48795	Fixed in multiple versions
		CVE-2023-51384, CVE-2023-51385		https://security.paloaltonetworks.com/PAN-SA-2024-0001	Not affected
Remote code execution in OpenSSH ssh-agent	Medium	CVE-2023-38408	CWE-426	https://security.paloaltonetworks.com/PAN-SA-2024-0001	Not affected
Multiple vulnerabilities in OpenSSH	Low	N/A	CWE-119, CWE-415
Amazon Linux AMI update for openssh, Privilege escalation in OpenSSH	Low	CVE-2021-41617	CWE-269	https://security.paloaltonetworks.com/CVE-2021-41617	Not affected
MitM attack in OpenSSH client	Medium	CVE-2020-14145	CWE-327	https://security.paloaltonetworks.com/PAN-SA-2024-0004	Fixed in 10.2.3 and above
Security restrictions bypass in OpenSSH	Low	N/A	CWE-399
Privilege escalation in OpenSSH	Low	CVE-2019-16905	CWE-190	https://security.paloaltonetworks.com/PAN-SA-2024-0001	Not affected

So, everything is fixed in the current OpenSSH version of PAN-OS, except we have no information about 1 CVE and 3 CWEs. If you must have confirmation about the undocumented vulnerabilities, you can email the PANW PSIRT team about those specifically.

Thanks,

Tom