Loading...
Loading...
No SHA1 ciphers are present in seccryptocfg output, but the security scan still marks this vulnerability. /fabos/link_abin/seccryptocfg --show: SSH Crypto: SSH Cipher : aes128-ctr,aes192-ctr,aes256-ctr SSH Kex : ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256 SSH MAC : hmac-sha2-256,hmac-sha2-512 TLS Ciphers: HTTPS : !ECDH:!DH:HIGH:-MD5:!CAMELLIA:!SRP:!PSK:!AESGCM HTTPS_TLS_v1.3 : TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 RADIUS : !ECDH:!DH:HIGH:-MD5:!CAMELLIA:!SRP:!PSK:!AESGCM LDAP : !ECDH:!DH:HIGH:-MD5:!CAMELLIA:!SRP:!PSK:!AESGCM SYSLOG : !ECDH:!DH:HIGH:-MD5:!CAMELLIA:!SRP:!PSK:!AESGCM TLS Protocol: HTTPS : Any RADIUS : Any LDAP : Any SYSLOG : Any --- Truncated ---
In FOS versions prior to FOS 9.2.2, RSA SSH hostkey/pubkey use a hashing algorithm (SHA1) which is no longer considered adequately strong and commonly reported as a potential vulnerability by scanning tools (such as Qualys). While users can generate and use ECDSA SSH hostkey/pubkey instead of RSA. FOS v9.2.2 is enhanced to allow the admin to configure SSH HostkeyAlgorithms and PubkeyAlgorithms for SSH connections to and from FOS and allow stronger RSA hostkey/pubkey using the command seccryptocfg .
Upgrade the switch to FOS 9.2.2. The cryptographic templates in FOS v9.2.2 are updated with HostKeyAlgorithms and PubKeyAlgorithms key entries under SSH. Example for platforms shipping with FOS v9.2.2 from factory: seccryptocfg --show SSH Crypto: SSH Cipher : aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192- cbc,aes256-cbc SSH Kex : ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffiehellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14- sha1 SSH MAC : hmac-sha2-256,hmac-sha2-512 SSH HostkeyAlg :rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp521 SSH PubkeyAlg :rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp521 TLS Ciphers: ------Truncated--------- So, the new attributes HostkeyAlg and PubkeyAlg are available with the command seccryptocfg --apply to configure platforms upgraded to FOS v9.2.2. Note: When configuring the SSH HostkeyAlgorithms and PubkeyAlgorithms using seccryptocfg --apply , the SSH service (in FOS) is restarted to load the new configuration and all the existing SSH sessions on the current CP as well as on the standby CP (in chassis) are terminated. Example: seccryptocfg --apply -group SSH -attr HostkeyAlg -value ‘rsa-sha2-512,rsa-sha2-256,ecdsasha2-nistp521’ seccryptocfg --apply -group SSH -attr PubkeyAlg -value ‘rsa-sha2-512,rsa-sha2-256,ecdsasha2-nistp521’
Click on a version to see all relevant bugs
Dell Integration
Learn more about where this data comes from
BugZero Plan
Streamline upgrades with automated vendor bug scrubs
BugZero Prevent
Wish you caught this bug sooner? Get proactive today.