PowerScale: SSH Key Exchange Algorithm is flagged by security vulnerability scanners: diffie-hellman-group1-sha1
Résumé: This article describes how to remediate this vulnerability for Isilon, which is not critical but might appear in vulnerability scans as a weak cipher.
Cet article concerne
Cet article ne concerne pas
Cet article n’est associé à aucun produit spécifique.
Toutes les versions du produit ne sont pas identifiées dans cet article.
Symptômes
SSHD Key Exchange Algorithms.
Onefs did enable key exchange algorithms diffie-hellman-group-exchange-sha1, which is marked as a vulnerability by the scanner.
The following description might appear in a vulnerability scan report:
Vulnerability: Deprecated SSH Cryptographic Settings
THREAT: The SSH protocol (Secure Shell) is a method for secure remote login from one computer to another. The target is using deprecated SSH cryptographic settings to communicate.
IMPACT: A man-in-the-middle attacker may be able to exploit this vulnerability to record the communication to decrypt the session key and even the messages.
SOLUTION: Avoid using deprecated cryptographic settings. Use best practices when configuring SSH.
Onefs did enable key exchange algorithms diffie-hellman-group-exchange-sha1, which is marked as a vulnerability by the scanner.
The following description might appear in a vulnerability scan report:
Vulnerability: Deprecated SSH Cryptographic Settings
THREAT: The SSH protocol (Secure Shell) is a method for secure remote login from one computer to another. The target is using deprecated SSH cryptographic settings to communicate.
IMPACT: A man-in-the-middle attacker may be able to exploit this vulnerability to record the communication to decrypt the session key and even the messages.
SOLUTION: Avoid using deprecated cryptographic settings. Use best practices when configuring SSH.
Cause
When the ssh client uses the same weak kex algorithms to connect Isilon via ssh, then the client may expose sensitive info. In this case, this is less impact of Isilon/Client.
We are not vulnerable or affected by these algorithms.
Onefs 8.1.2 is not vulnerable or affected by diffie-hellman-group-exchange-sha1:
SHA1 if used as the signing algorithm causes an issue. The signature algorithm being used by TLS is SHA256 with RSA.
In SSH we use diffie-hellman with sha1 in kex algorithm. But those algorithms are selected in the ordered preference. SHA2 algorithm is present in the top of the list and then SHA1 are listed for backward compatibility.
Server and client negotiate and the one that matches in the list is selected. So if clients are kept updated with kex algorithms, then there will be no further issues and no question of diffie-hellman with SHA1 being selected as kex algorithm.
Onefs removed it in latest version(8.2.2 above)
We are not vulnerable or affected by these algorithms.
Onefs 8.1.2 is not vulnerable or affected by diffie-hellman-group-exchange-sha1:
SHA1 if used as the signing algorithm causes an issue. The signature algorithm being used by TLS is SHA256 with RSA.
In SSH we use diffie-hellman with sha1 in kex algorithm. But those algorithms are selected in the ordered preference. SHA2 algorithm is present in the top of the list and then SHA1 are listed for backward compatibility.
Server and client negotiate and the one that matches in the list is selected. So if clients are kept updated with kex algorithms, then there will be no further issues and no question of diffie-hellman with SHA1 being selected as kex algorithm.
Onefs removed it in latest version(8.2.2 above)
Résolution
If you need to remove it from 8.1.2 or cannot upgrade to OneFS 8.2.2 or later, this is the workaround to remove weak kex algorithms:
Check kex algorithms of Onefs 8.2.2, this weak kex algorithm has been removed:
# isi ssh view
# isi ssh view|grep diffie-hellman-group-exchange-sha1
If present modify the ssh config to remove it from kex algorithms allowed.
# isi ssh modify --kex-algorithms=curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
Restart SSHD service:
# isi_for_array 'killall -HUP sshd'
Check kex algorithms of Onefs 8.2.2, this weak kex algorithm has been removed:
# isi ssh view
# isi ssh view|grep diffie-hellman-group-exchange-sha1
If present modify the ssh config to remove it from kex algorithms allowed.
# isi ssh modify --kex-algorithms=curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
Restart SSHD service:
# isi_for_array 'killall -HUP sshd'
Produits concernés
PowerScale OneFSPropriétés de l’article
Numéro d’article: 000195307
Type d’article: Solution
Dernière modification: 07 sept. 2022
Version: 3
Trouvez des réponses à vos questions auprès d’autres utilisateurs Dell
Services de support
Vérifiez si votre appareil est couvert par les services de support.