PowerScale: SSH Key Exchange Algorithm is flagged by security vulnerability scanners: diffie-hellman-group1-sha1
Summary: This article describes how to remediate this vulnerability for Isilon, which is not critical but might appear in vulnerability scans as a weak cipher.
This article applies to
This article does not apply to
This article is not tied to any specific product.
Not all product versions are identified in this article.
Symptoms
SSHD Key Exchange Algorithms.
Onefs did enable key exchange algorithms diffie-hellman-group-exchange-sha1, which is marked as a vulnerability by the scanner.
The following description might appear in a vulnerability scan report:
Vulnerability: Deprecated SSH Cryptographic Settings
THREAT: The SSH protocol (Secure Shell) is a method for secure remote login from one computer to another. The target is using deprecated SSH cryptographic settings to communicate.
IMPACT: A man-in-the-middle attacker may be able to exploit this vulnerability to record the communication to decrypt the session key and even the messages.
SOLUTION: Avoid using deprecated cryptographic settings. Use best practices when configuring SSH.
Onefs did enable key exchange algorithms diffie-hellman-group-exchange-sha1, which is marked as a vulnerability by the scanner.
The following description might appear in a vulnerability scan report:
Vulnerability: Deprecated SSH Cryptographic Settings
THREAT: The SSH protocol (Secure Shell) is a method for secure remote login from one computer to another. The target is using deprecated SSH cryptographic settings to communicate.
IMPACT: A man-in-the-middle attacker may be able to exploit this vulnerability to record the communication to decrypt the session key and even the messages.
SOLUTION: Avoid using deprecated cryptographic settings. Use best practices when configuring SSH.
Cause
When the ssh client uses the same weak kex algorithms to connect Isilon via ssh, then the client may expose sensitive info. In this case, this is less impact of Isilon/Client.
We are not vulnerable or affected by these algorithms.
Onefs 8.1.2 is not vulnerable or affected by diffie-hellman-group-exchange-sha1:
SHA1 if used as the signing algorithm causes an issue. The signature algorithm being used by TLS is SHA256 with RSA.
In SSH we use diffie-hellman with sha1 in kex algorithm. But those algorithms are selected in the ordered preference. SHA2 algorithm is present in the top of the list and then SHA1 are listed for backward compatibility.
Server and client negotiate and the one that matches in the list is selected. So if clients are kept updated with kex algorithms, then there will be no further issues and no question of diffie-hellman with SHA1 being selected as kex algorithm.
Onefs removed it in latest version(8.2.2 above)
We are not vulnerable or affected by these algorithms.
Onefs 8.1.2 is not vulnerable or affected by diffie-hellman-group-exchange-sha1:
SHA1 if used as the signing algorithm causes an issue. The signature algorithm being used by TLS is SHA256 with RSA.
In SSH we use diffie-hellman with sha1 in kex algorithm. But those algorithms are selected in the ordered preference. SHA2 algorithm is present in the top of the list and then SHA1 are listed for backward compatibility.
Server and client negotiate and the one that matches in the list is selected. So if clients are kept updated with kex algorithms, then there will be no further issues and no question of diffie-hellman with SHA1 being selected as kex algorithm.
Onefs removed it in latest version(8.2.2 above)
Resolution
If you need to remove it from 8.1.2 or cannot upgrade to OneFS 8.2.2 or later, this is the workaround to remove weak kex algorithms:
Check kex algorithms of Onefs 8.2.2, this weak kex algorithm has been removed:
# isi ssh view
# isi ssh view|grep diffie-hellman-group-exchange-sha1
If present modify the ssh config to remove it from kex algorithms allowed.
# isi ssh modify --kex-algorithms=curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
Restart SSHD service:
# isi_for_array 'killall -HUP sshd'
Check kex algorithms of Onefs 8.2.2, this weak kex algorithm has been removed:
# isi ssh view
# isi ssh view|grep diffie-hellman-group-exchange-sha1
If present modify the ssh config to remove it from kex algorithms allowed.
# isi ssh modify --kex-algorithms=curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
Restart SSHD service:
# isi_for_array 'killall -HUP sshd'
Affected Products
PowerScale OneFSArticle Properties
Article Number: 000195307
Article Type: Solution
Last Modified: 07 Sept 2022
Version: 3
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.