Avamar - Network scanner reports OpenSSH security vulnerability on Avamar proxy
Summary: Avamar - Network scanner reports OpenSSH security vulnerability on Avamar proxy.
This article applies to
This article does not apply to
This article is not tied to any specific product.
Not all product versions are identified in this article.
Symptoms
A network security scanner has identified the following issues with the Avamar proxy OpenSSH service:
1.CVE-2016-2183 - "SSH Birthday attacks on 64-bit block ciphers (SWEET32)"
2.CVE-2016-10009, CVE-2016-10010, CVE-2016-10011, CVE-2016-10012, CVE-2016-8858 - "Multiple vulnerabilities in OpenSSH 7.4 which is not installed on the system."
Cause
Based on the information available, it is likely that these findings are false positives.
1. The /etc/ssh/sshd_config on the proxy does NOT have any DES/3DES cipher enabled.
2. The Avamar proxy runs on SUSE Linux Enterprise Server 12 SP5 (or SLES12 SP4 in older proxy versions) and is equipped with OpenSSH version 7.2.
According to the documentation provided in the "Additional Info" section of this KB, this is not vulnerable.
1. The /etc/ssh/sshd_config on the proxy does NOT have any DES/3DES cipher enabled.
2. The Avamar proxy runs on SUSE Linux Enterprise Server 12 SP5 (or SLES12 SP4 in older proxy versions) and is equipped with OpenSSH version 7.2.
According to the documentation provided in the "Additional Info" section of this KB, this is not vulnerable.
Resolution
1. To confirm that the SWEET32 issue is not present, you can attempt to connect to the proxy using a 3DES cipher. This command can be run locally on the proxy or remotely:
ssh -c 3des-cbc 193proxy.example.com
NOTE: Adjust "193proxy.example.com" is the proxy hostname or use localhost if running command on the proxy.
The connection should fail, and then SSHD service shows the allowed ciphers. Here is an example output:
Unable to negotiate with ::1 port 22: no matching cipher found. Their offer: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,aes192-cbc,aes256-cbc
2. To confirm the OpenSSH package version higher than 7.2p2-74.45.1 run this command:
rpm -qa | grep '^openssh-[7,f]' |sed 's/\.x86_64$//'
Healthy output:
admin@193proxy:~/>: rpm -qa | grep '^openssh-[7,f]' |sed 's/\.x86_64$//'
openssh-7.2p2-78.7.1
openssh-fips-7.2p2-78.7.1
Additional Information
SUSE documentation on this problem:
1. Sweet32 - SUSE: CVE-2016-2183
2. Version - SUSE: CVE-2016-10009, CVE-2016-10010, CVE-2016-10011, CVE-2016-10012, CVE-2016-8858
1. Sweet32 - SUSE: CVE-2016-2183
2. Version - SUSE: CVE-2016-10009, CVE-2016-10010, CVE-2016-10011, CVE-2016-10012, CVE-2016-8858
Affected Products
AvamarArticle Properties
Article Number: 000209421
Article Type: Solution
Last Modified: 17 May 2023
Version: 2
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.