We have Dell PowerConnect 6224 switches that are running the latest firmware however our security scans show version 4.3 of OpenSSH being used on those devices. Security shows two vulnerabilities listed below and wants to know if Dell intends to update the version of OpenSSH running on those switches or if Dell's implementation is vulnerable to these CVE findings. Please let me know.
The version of OpenSSH running on the remote host has an information
disclosure vulnerability. A design flaw in the SSH specification
could allow a man-in-the-middle attacker to recover up to 32 bits of
plaintext from an SSH-protected connection in the standard
configuration. An attacker could exploit this to gain access to
sensitive information.
According to its banner, the version of OpenSSH running on the remote
host is earlier than 5.8p2. Such versions may be affected by a local
information disclosure vulnerability that could allow the contents of
the host's private key to be accessible by locally tracing the
execution of the ssh-keysign utility. Having the host's private key
may allow the impersonation of the host.
Note that installations are only vulnerable if ssh-rand-helper was
enabled during the build process, which is not the case for *BSD, OS
X, Cygwin and Linux.