I noticed that there were two plugins for potential vulnerability detected updated for OpenSSH:
- OpenSSH Multiple Vulnerabilities - QID 38679
- OpenSSH 7.4 Not Installed Multiple Vulnerabilities - QID 38692
Both have the same last changelog - 08/05/2019 at 02:00:00 AM (GMT+0200) - Modified detection to fix false positive for various Operating Systems which have confirmed checks.
It says the detection has been modified for systems with confirmed checks, however when searching through the Qualys knowledge base, I see all the relevant confirmed checks detected only through authenticated scan. I have currently a client with remote scan only and I see around 80% of these vulnerabilities reported as fixed even in cases the version of OpenSSH detected on the host was below 7.0 (which is the fixed version for the first listed vulnerability). As there is no authentication configured in option profile or the license at all, I have doubts how the false positive detection was "fixed" as without authentication it seems to be depending on OS detection, which is remotely very difficult.
I have created a Pivot table including the two mentioned vulnerabilities, detected OS, SSH banner version (QID 38050) and vulnerability status.
Based on the table it seems that if Ubuntu / vCenter / AIX (surprisingly only for OpenSSHv7.0 and not for OpenSSHv7.4) is detected as possible operating system, the vulnerability is not reported, even though SSH version is lower based on banner and no confirmed check could be done due to authentication not configured.
Is this intentional? In my opinion this results into more false negatives than possible false positives fixed or there is a bug within the check dependencies.