Dell Unity: Weak SSH key exchange algorithm is reported by third-party Vulnerability scanning software on Unity code 5.1.X (User Correctable)
Summary: Some third-party Vulnerability scanning software might report weak SSH key exchange algorithm on Unity running code 5.1.X but the reported weak algorithms are disabled on Unity.
Αυτό το άρθρο ισχύει για
Αυτό το άρθρο δεν ισχύει για
Αυτό το άρθρο δεν συνδέεται με κάποιο συγκεκριμένο προϊόν.
Δεν προσδιορίζονται όλες οι εκδόσεις προϊόντων σε αυτό το άρθρο.
Symptoms
Some third-party Vulnerability scanning software (for example Nessus) might report weak SSH key exchange algorithms on Unity arrays running OE 5.1.x.:
How to identify:
- diffie-hellman-group-exchange-sha1
- diffie-hellman-group1-sha1
- gss-gex-sha1-*
- gss-group1-sha1-*
- gss-group14-sha1-*
- rsa1024-sha1
How to identify:
- To prove the reported weak SSH key exchange algorithms is disabled on Unity, customer can try to ssh to Unity with the *-sha1 algorithms specified using -okexalgorithms switch. The ssh command will fail and inform user the available key-exchanged algorithms on Unity.
[root@centos ~]# ssh service@5.6.7.11 -okexalgorithms=diffie-hellman-group-exchange-sha1 Unable to negotiate with 5.6.7.11 port 22: no matching key exchange method found. Their offer: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
- Another method to confirm what SSH key exchange algorithms is supported on Unity is that client can ssh to the Unity with debug mode enabled using -vvv switch. From the debug log, the supported SSH key-exchanged algorithms on Unity will be listed as below:
ssh -vvv 5.6.7.11 <snip> debug2: local client KEXINIT proposal debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1,ext-info-c <<<<< available key exchange algorithms on client <snip> debug2: peer server KEXINIT proposal debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256 <<<<<< available key exchange algorithms on Unity
- If the third-party Vulnerability scanning software is reporting weak SSH key exchange algorithms for one or several of above supported algorithms and customer want to disable it/them on Unity, Article Dell EMC Unity: diffie-hellman-group1-sha1 Key-Exchange Algorithm is flagged by security scanners on Unity (Dell EMC Correctable (this is an internal restricted article) can be applied.
Cause
This is a false positive as all sha1 Key exchange algorithms have been disabled/removed since Unity 5.1.0.
Resolution
Customers should engage their third-party Vulnerability scanning software vendor to further investigate how does their software scan the Unity system to understand why such false positives are raised.
Επηρεαζόμενα προϊόντα
Dell EMC UnityΙδιότητες άρθρου
Article Number: 000199851
Article Type: Solution
Τελευταία τροποποίηση: 14 Μαΐ 2026
Version: 9
Βρείτε απαντήσεις στις ερωτήσεις σας από άλλους χρήστες της Dell
Υπηρεσίες υποστήριξης
Ελέγξτε αν η συσκευή σας καλύπτεται από τις Υπηρεσίες υποστήριξης.