SUMMARY
False positive
CVE ID
CVE-2016-7406 CVE-2016-7407 CVE-2016-7408 CVE-2016-7409
DESCRIPTION
Format string vulnerability in Dropbear SSH before 2016.74 allows remote attackers to execute arbitrary code via format string specifiers in the (1) username or (2) host argument.
Unitrends assessment: OS software is Not Exposed
The dropbear ssh server is not the same as the openssh-server package. Our CentOS installations use the openssh-server package instead.
However, if the Unitrends system has SuperMicro X10DRH-CT firmware 3.26, this firmware version includes a DropBear SSH instance for a firmware management CLI, if the IPMI LAN port is configured and \enabled.
RESOLUTION
Unitrends servers: OS software is Not Exposed. dropbear ssh is not installed, so this is a false positive if shown in a scan for the OS IP address.
The flaw was fixed in a dropbear-2016.74 package from the Fedora EPEL repository.
If the scan shows this on the IPMI LAN IP address, below is the resolution for the SuperMicro firmware.
For the SuperMicro firmware instance, run 'ipmiutil health' to check if the system has firmware 3.26:
[root@Recovery926S ~]# ipmiutil health ipmiutil ver 3.01 ihealth ver 3.01 BMC manufacturer = 002a7c (SuperMicro), product = 0859 (X10DRH) BMC version = 3.26, IPMI v2.0
If so, upgrading the SuperMicro firmware to X10DRH firmware version 3.65 via the IPMI LAN web interface will resolve this.