Dell Unity: Weak SSH key exchange algorithm is reported by third-party Vulnerability scanning software on Unity code 5.1.X (User Correctable)
Summary: Some third-party Vulnerability scanning software might report weak SSH key exchange algorithm on Unity running code 5.1.X but the reported weak algorithms are disabled on Unity.
This article applies to
This article does not apply to
This article is not tied to any specific product.
Not all product versions are identified in this article.
Symptoms
Some third-party Vulnerability scanning software (for example Nessus) might report weak SSH key exchange algorithms on Unity arrays running OE 5.1.x.:
How to identify:
- diffie-hellman-group-exchange-sha1
- diffie-hellman-group1-sha1
- gss-gex-sha1-*
- gss-group1-sha1-*
- gss-group14-sha1-*
- rsa1024-sha1
How to identify:
- To prove the reported weak SSH key exchange algorithms is disabled on Unity, customer can try to ssh to Unity with the *-sha1 algorithms specified using -okexalgorithms switch. The ssh command will fail and inform user the available key-exchanged algorithms on Unity.
[root@centos ~]# ssh service@5.6.7.11 -okexalgorithms=diffie-hellman-group-exchange-sha1 Unable to negotiate with 5.6.7.11 port 22: no matching key exchange method found. Their offer: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
- Another method to confirm what SSH key exchange algorithms is supported on Unity is that client can ssh to the Unity with debug mode enabled using -vvv switch. From the debug log, the supported SSH key-exchanged algorithms on Unity will be listed as below:
ssh -vvv 5.6.7.11 <snip> debug2: local client KEXINIT proposal debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1,ext-info-c <<<<< available key exchange algorithms on client <snip> debug2: peer server KEXINIT proposal debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256 <<<<<< available key exchange algorithms on Unity
- If the third-party Vulnerability scanning software is reporting weak SSH key exchange algorithms for one or several of above supported algorithms and customer want to disable it/them on Unity, Article Dell EMC Unity: diffie-hellman-group1-sha1 Key-Exchange Algorithm is flagged by security scanners on Unity (Dell EMC Correctable (this is an internal restricted article) can be applied.
Cause
This is a false positive as all sha1 Key exchange algorithms have been disabled/removed since Unity 5.1.0.
Resolution
Customers should engage their third-party Vulnerability scanning software vendor to further investigate how does their software scan the Unity system to understand why such false positives are raised.
Affected Products
Dell EMC UnityArticle Properties
Article Number: 000199851
Article Type: Solution
Last Modified: 16 Jun 2023
Version: 8
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.