Dell Unity: Weak SSH key exchange algorithm is reported by third-party Vulnerability scanning software on Unity code 5.1.X (User Correctable)
Summary: Some third-party Vulnerability scanning software might report weak SSH key exchange algorithm on Unity running code 5.1.X but the reported weak algorithms are disabled on Unity.
Acest articol se aplică pentru
Acest articol nu se aplică pentru
Acest articol nu este legat de un produs specific.
Acest articol nu acoperă toate versiunile de produs existente.
Symptoms
Some third-party Vulnerability scanning software (for example Nessus) might report weak SSH key exchange algorithms on Unity arrays running OE 5.1.x.:
How to identify:
- diffie-hellman-group-exchange-sha1
- diffie-hellman-group1-sha1
- gss-gex-sha1-*
- gss-group1-sha1-*
- gss-group14-sha1-*
- rsa1024-sha1
How to identify:
- To prove the reported weak SSH key exchange algorithms is disabled on Unity, customer can try to ssh to Unity with the *-sha1 algorithms specified using -okexalgorithms switch. The ssh command will fail and inform user the available key-exchanged algorithms on Unity.
[root@centos ~]# ssh service@5.6.7.11 -okexalgorithms=diffie-hellman-group-exchange-sha1 Unable to negotiate with 5.6.7.11 port 22: no matching key exchange method found. Their offer: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
- Another method to confirm what SSH key exchange algorithms is supported on Unity is that client can ssh to the Unity with debug mode enabled using -vvv switch. From the debug log, the supported SSH key-exchanged algorithms on Unity will be listed as below:
ssh -vvv 5.6.7.11 <snip> debug2: local client KEXINIT proposal debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1,ext-info-c <<<<< available key exchange algorithms on client <snip> debug2: peer server KEXINIT proposal debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256 <<<<<< available key exchange algorithms on Unity
- If the third-party Vulnerability scanning software is reporting weak SSH key exchange algorithms for one or several of above supported algorithms and customer want to disable it/them on Unity, Article Dell EMC Unity: diffie-hellman-group1-sha1 Key-Exchange Algorithm is flagged by security scanners on Unity (Dell EMC Correctable (this is an internal restricted article) can be applied.
Cause
This is a false positive as all sha1 Key exchange algorithms have been disabled/removed since Unity 5.1.0.
Resolution
Customers should engage their third-party Vulnerability scanning software vendor to further investigate how does their software scan the Unity system to understand why such false positives are raised.
Produse afectate
Dell EMC UnityProprietăți articol
Article Number: 000199851
Article Type: Solution
Ultima modificare: 14 mai 2026
Version: 9
Găsiți răspunsuri la întrebările dvs. de la alți utilizatori Dell
Servicii de asistență
Verificați dacă dispozitivul dvs. este acoperit de serviciile de asistență.