OpenSSH < 9

Tenable plugin 187201 rolls up three different OpenSSH issues fixed in 9.6 and labels every pre-9.6 build as vulnerable. The bundle is: CVE-2023-48795 (*Terrapin*), a man-in-the-middle downgrade of early SSH transport integrity; CVE-2023-51384, an ssh-agent destination-constraint bug that only matters when adding PKCS#11-hosted keys and a token returns multiple keys; and CVE-2023-51385, a client-side command injection edge case when ssh(1) expands attacker-controlled %h / %u tokens inside ProxyCommand, LocalCommand, or Match exec. Upstream fixed all three in OpenSSH 9.6 released on 2023-12-18.

paragraph 2: The vendor's MEDIUM label is still a little generous for enterprise patch triage because the reachable attack paths are heavily constrained. The only remotely reachable issue against an SSH service is Terrapin, and OpenSSH's own release notes say its impact is *very limited* and, for OpenSSH itself, mainly strips a subset of keystroke-timing obfuscation. The more impactful bug in this bundle, CVE-2023-51385, is not a server-side port-22 smash at all; it is a client-side, user- or automation-driven chain that depends on risky ssh_config patterns and attacker-controlled host/user strings.

Why this verdict

• Baseline starts at MEDIUM 6.5 because Tenable keyed the bundle off CVE-2023-51385's network-looking vector, but that baseline overstates what a port-22 finding means in practice.
• Downward adjustment: worst-impact bug is client-side. CVE-2023-51385 needs the victim to run ssh(1) with attacker-controlled host/user data and a risky ssh_config pattern using %h / %u inside ProxyCommand, LocalCommand, or Match exec. That excludes the majority of plain SSH server deployments.
• Downward adjustment: remotely reachable path is MITM-only. CVE-2023-48795 is not Internet-to-daemon RCE; it requires on-path position, which usually implies the attacker already owns a network choke point, local segment, proxy, VPN edge, or other upstream foothold.
• Downward adjustment: Terrapin's OpenSSH blast radius is small. OpenSSH upstream states the most serious identified impact is disabling a subset of keystroke timing obfuscation and says there is no other discernable impact to session secrecy or session integrity.
• Downward adjustment: CVE-2023-51384 is niche by design. It requires ssh-agent, PKCS#11-hosted keys, destination constraints, and multiple keys returned by one token. That is a narrow admin or high-assurance workstation corner case, not a fleet-wide server emergency.
• Downward adjustment: scanner population is inflated by backports. Enterprise Linux distros patch these flaws in older package builds, so remote version checks can turn patched hosts into patch-chase noise.

Why not higher?

There is no evidence here of an unauthenticated OpenSSH server RCE, auth bypass, or mass-exploited wormable path. The server-side issue needs MITM position, and the client-side issue needs a chain of user workflow plus unsafe local config plus attacker-controlled destination strings.

Why not lower?

I am not dropping this to IGNORE because OpenSSH is ubiquitous and the client-side command injection bug can matter on developer workstations, admin jump boxes, and CI runners. Public Terrapin research tooling also means defenders should not dismiss the bundle entirely; it is just not urgent at enterprise scale.

1. Audit risky SSH client directives — Review ProxyCommand, LocalCommand, and Match exec usage in enterprise ssh_config baselines and automation images, especially where %h or %u are expanded into shell commands. For a LOW verdict there is no SLA (treat as backlog hygiene), but this is the highest-value compensating control because it collapses the practical CVE-2023-51385 path even before patching.
2. Prefer backport-aware validation — Do not mass-open tickets solely because a scanner saw OpenSSH_8.x or 9.3p1. Verify distro advisories and package changelogs first, because Ubuntu and other vendors backported fixes below 9.6. For a LOW verdict there is no SLA (treat as backlog hygiene); use this to cut false positives before scheduling work.
3. Constrain untrusted Git and CI inputs — On build agents and admin workstations, reduce workflows that recursively pull untrusted submodules or external SSH destinations without review. This directly reduces the attacker-controlled input required for CVE-2023-51385. For a LOW verdict there is no SLA (treat as backlog hygiene).
4. Harden network trust boundaries — For Terrapin, the attacker must already be on path, so focus on VPN integrity, trusted bastions, NAC, and avoiding hostile intermediary networks for administrative SSH. This does not replace patching, but it attacks the key prerequisite. For a LOW verdict there is no SLA (treat as backlog hygiene).

Run this on the target Linux host as a local check; no network access is required. Invoke it with bash check_openssh_187201.sh as root or an unprivileged user with read access to package metadata. It inspects the local OpenSSH version and, where possible, distro changelogs to distinguish upstream vulnerable from backport patched packages.

#!/usr/bin/env bash
# check_openssh_187201.sh
# Detect likely exposure to Tenable plugin 187201 (OpenSSH < 9.6 multiple vulnerabilities)
# Outputs exactly one of: VULNERABLE / PATCHED / UNKNOWN
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN

set -u

cves='CVE-2023-48795|CVE-2023-51384|CVE-2023-51385'

have_cmd() { command -v "$1" >/dev/null 2>&1; }

extract_openssh_ver() {
  local out ver
  if have_cmd ssh; then
    out=$(ssh -V 2>&1 || true)
    ver=$(printf '%s' "$out" | sed -n 's/.*OpenSSH_\([0-9][0-9.]*p\{0,1\}[0-9]*\).*/\1/p' | head -n1)
    if [ -n "$ver" ]; then
      printf '%s\n' "$ver"
      return 0
    fi
  fi
  if have_cmd sshd; then
    out=$(sshd -V 2>&1 || true)
    ver=$(printf '%s' "$out" | sed -n 's/.*OpenSSH_\([0-9][0-9.]*p\{0,1\}[0-9]*\).*/\1/p' | head -n1)
    if [ -n "$ver" ]; then
      printf '%s\n' "$ver"
      return 0
    fi
  fi
  return 1
}

normalize_ver() {
  # Converts 9.6p1 -> 9.6.1 for sort -V comparisons
  printf '%s' "$1" | sed 's/p/./g'
}

upstream_patched() {
  local found norm
  found=$(extract_openssh_ver || true)
  [ -z "$found" ] && return 1
  norm=$(normalize_ver "$found")
  if [ "$(printf '%s\n%s\n' "9.6" "$norm" | sort -V | tail -n1)" = "$norm" ]; then
    return 0
  fi
  return 1
}

deb_backport_patched() {
  local files f
  files="/usr/share/doc/openssh-client/changelog.Debian.gz /usr/share/doc/openssh-server/changelog.Debian.gz /usr/share/doc/openssh/changelog.Debian.gz"
  for f in $files; do
    if [ -r "$f" ] && zgrep -Eiq "$cves" "$f"; then
      return 0
    fi
  done
  return 1
}

rpm_backport_patched() {
  local pkgs pkg
  pkgs="openssh openssh-server openssh-clients"
  if ! have_cmd rpm; then
    return 1
  fi
  for pkg in $pkgs; do
    if rpm -q "$pkg" >/dev/null 2>&1; then
      if rpm -q --changelog "$pkg" 2>/dev/null | grep -Eiq "$cves"; then
        return 0
      fi
    fi
  done
  return 1
}

# Decision tree
if upstream_patched; then
  echo PATCHED
  exit 0
fi

# Backported distro packages may still show an upstream version lower than 9.6.
if deb_backport_patched || rpm_backport_patched; then
  echo PATCHED
  exit 0
fi

# If we can see an upstream-style version < 9.6 and no package metadata suggests a backport,
# call it vulnerable for locally built / portable installs.
ver=$(extract_openssh_ver || true)
if [ -n "$ver" ]; then
  if [ -d /etc/apt ] || have_cmd dpkg || have_cmd rpm; then
    echo UNKNOWN
    exit 2
  else
    echo VULNERABLE
    exit 1
  fi
fi

echo UNKNOWN
exit 2

Sources

1. Tenable Nessus Plugin 187201 changelog
2. OpenSSH 9.6 release notes
3. USENIX paper: Terrapin Attack
4. NVD: CVE-2023-48795
5. NVD: CVE-2023-51384
6. NVD: CVE-2023-51385
7. Ubuntu advisory: CVE-2023-48795
8. CISA Known Exploited Vulnerabilities Catalog