Symptoms
When implementing the workaround suggested for DSA-2024-021: iDRAC8 and iDRAC9 Security Update for CVE-2023-48795, it fails as follows:The issue is limited to a few of the 15G VxRail models and does not impact all of them.
Cause
aes128 Ciphers are disabled on some Server models in the Identity Module (IDM).
Resolution
The fix for DSA-2024-021 is in the newer iDRAC Firmware version.Workaround:Check the default Ciphers available on the Servers by running the below racadm command:
Racadm>>get idrac.sshcrypto.ciphers.
Output-1:
Racadm>>get idrac.sshcrypto.ciphers.
[Key=idrac.Embedded.1#SSHCrypto.1]
Ciphers=chacha20-poly1305@openssh.com, aes128-ctr, aes192-ctr, aes256-ctr, aes128-gcm@openssh.com, aes256-gcm@openssh.com
Run the below set command by removing Cipher "chacha20-poly1305@openssh.com"
Racadm>>set idrac.sshcrypto.ciphers aes128-ctr, aes192-ctr, aes256-ctr, aes128-gcm@openssh.com, aes256-gcm@openssh.com
Output-2:
Racadm>>get idrac.sshcrypto.ciphers
[Key=idrac.Embedded.1#SSHCrypto.1]
Ciphers=chacha20-poly1305@openssh.com,aes192-ctr,aes256-ctr,aes256-gcm@openssh.com.
Run the below set command by removing Cipher "chacha20-poly1305@openssh.com"
racadm>>set idrac.sshcrypto.ciphers aes192-ctr,aes256-ctr,aes256-gcm@openssh.com
[Key=idrac.Embedded.1#SSHCrypto.1]
Object value modified successfully.
NOTE: Set command to be run following the output.
