CVE-2020-15778
This article relates to the recently announced CVE-2020-15778 vulnerability and the USS Gateway 2.0.50+ Ubuntu based virtual machine.
This vulnerability is primarily a risk from inbound connections as it exists on the client side of the SCP/SSH connection as well as the server. The initiator of the SCP/SSH connection must update their software to patch the vulnerability. Therefore attention should be given to potential inbound connections to the USS Gateway that may be initiated from the network. Options include:
- Disable SCP/SSH on the Gateway device if you do not require it. This means you will have to administer the Gateway device via the system console
systemctl stop sshd (temporarily stop SSH/SCP)
systemctl disable sshd (disable SSH/SCP)
- Limit the number of users that have SCP/SSH capability - ensure best practice by using certificates and key phrases to avoid weak passwords
- Block access to port 22 from untrusted devices
- Take care when initiating outbound SSH connections from the USS Gateway device (should not be required for normal day-to-day activity)