PowerScale: SSH Key Exchange Algorithm is flagged by security vulnerability scanners: diffie-hellman-group1-sha1
Resumo: This article describes how to remediate this vulnerability for Isilon, which is not critical but might appear in vulnerability scans as a weak cipher.
Este artigo aplica-se a
Este artigo não se aplica a
Este artigo não está vinculado a nenhum produto específico.
Nem todas as versões do produto estão identificadas neste artigo.
Sintomas
SSHD Key Exchange Algorithms.
Onefs did enable key exchange algorithms diffie-hellman-group-exchange-sha1, which is marked as a vulnerability by the scanner.
The following description might appear in a vulnerability scan report:
Vulnerability: Deprecated SSH Cryptographic Settings
THREAT: The SSH protocol (Secure Shell) is a method for secure remote login from one computer to another. The target is using deprecated SSH cryptographic settings to communicate.
IMPACT: A man-in-the-middle attacker may be able to exploit this vulnerability to record the communication to decrypt the session key and even the messages.
SOLUTION: Avoid using deprecated cryptographic settings. Use best practices when configuring SSH.
Onefs did enable key exchange algorithms diffie-hellman-group-exchange-sha1, which is marked as a vulnerability by the scanner.
The following description might appear in a vulnerability scan report:
Vulnerability: Deprecated SSH Cryptographic Settings
THREAT: The SSH protocol (Secure Shell) is a method for secure remote login from one computer to another. The target is using deprecated SSH cryptographic settings to communicate.
IMPACT: A man-in-the-middle attacker may be able to exploit this vulnerability to record the communication to decrypt the session key and even the messages.
SOLUTION: Avoid using deprecated cryptographic settings. Use best practices when configuring SSH.
Causa
When the ssh client uses the same weak kex algorithms to connect Isilon via ssh, then the client may expose sensitive info. In this case, this is less impact of Isilon/Client.
We are not vulnerable or affected by these algorithms.
Onefs 8.1.2 is not vulnerable or affected by diffie-hellman-group-exchange-sha1:
SHA1 if used as the signing algorithm causes an issue. The signature algorithm being used by TLS is SHA256 with RSA.
In SSH we use diffie-hellman with sha1 in kex algorithm. But those algorithms are selected in the ordered preference. SHA2 algorithm is present in the top of the list and then SHA1 are listed for backward compatibility.
Server and client negotiate and the one that matches in the list is selected. So if clients are kept updated with kex algorithms, then there will be no further issues and no question of diffie-hellman with SHA1 being selected as kex algorithm.
Onefs removed it in latest version(8.2.2 above)
We are not vulnerable or affected by these algorithms.
Onefs 8.1.2 is not vulnerable or affected by diffie-hellman-group-exchange-sha1:
SHA1 if used as the signing algorithm causes an issue. The signature algorithm being used by TLS is SHA256 with RSA.
In SSH we use diffie-hellman with sha1 in kex algorithm. But those algorithms are selected in the ordered preference. SHA2 algorithm is present in the top of the list and then SHA1 are listed for backward compatibility.
Server and client negotiate and the one that matches in the list is selected. So if clients are kept updated with kex algorithms, then there will be no further issues and no question of diffie-hellman with SHA1 being selected as kex algorithm.
Onefs removed it in latest version(8.2.2 above)
Resolução
If you need to remove it from 8.1.2 or cannot upgrade to OneFS 8.2.2 or later, this is the workaround to remove weak kex algorithms:
Check kex algorithms of Onefs 8.2.2, this weak kex algorithm has been removed:
# isi ssh view
# isi ssh view|grep diffie-hellman-group-exchange-sha1
If present modify the ssh config to remove it from kex algorithms allowed.
# isi ssh modify --kex-algorithms=curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
Restart SSHD service:
# isi_for_array 'killall -HUP sshd'
Check kex algorithms of Onefs 8.2.2, this weak kex algorithm has been removed:
# isi ssh view
# isi ssh view|grep diffie-hellman-group-exchange-sha1
If present modify the ssh config to remove it from kex algorithms allowed.
# isi ssh modify --kex-algorithms=curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
Restart SSHD service:
# isi_for_array 'killall -HUP sshd'
Produtos afetados
PowerScale OneFSPropriedades do artigo
Número do artigo: 000195307
Tipo de artigo: Solution
Último modificado: 07 set. 2022
Versão: 3
Encontre as respostas de outros usuários da Dell para suas perguntas.
Serviços de suporte
Verifique se o dispositivo está coberto pelos serviços de suporte.