topic Re: Vulnerabilities detected by VA scan in Spark Firewall (SMB)

Vulnerabilities detected by VA scan

BigHec — Wed, 03 Jan 2024 10:24:03 GMT

Hi All,

Recently we did a VA scan on one of our SMB device and there is one vulnerabilities listed below:

"Diffie-Hellman Ephemeral Key Exchange DoS Vulnerability (SSH, D(HE)ater) (CVSS: 7.5)"

I did not found any related fix on the SK but I went on some research, it seems like need to disable the Diffie-Hellman Key exchange method in the file name "sshd_config".

For normal appliance the path for "sshd_config" file will be /etc/ssh/sshd_config

But for SMB, screenshot below is what I got when trying to find the file:

It seems like the "ssh" has a symbolic link to "/var/ssh/" but the "ssh" folder is not in the "/var".

Does anyone has any idea on this?

Appreciate for the help!

Re: Vulnerabilities detected by VA scan

Martin_Valenta — Wed, 03 Jan 2024 10:26:36 GMT

check this

Expert# cpwd_admin list
APP PID STAT #START START_TIME MON COMMAND
SSHD 3554 E 1 [13:26:19] 3/12/2023 N /pfrm2.0/bin/sshd -f /pfrm2.0/etc/sshd_config

Re: Vulnerabilities detected by VA scan

BigHec — Wed, 03 Jan 2024 13:44:51 GMT

Hi Martin,

This is all I'm able to see when running cpwd_admin list command

Re: Vulnerabilities detected by VA scan

PhoneBoy — Wed, 03 Jan 2024 15:13:39 GMT

Only in the most recent SMB firmware releases (R81.10.xx) is OpenSSH used.
In other releases, Dropbear is used as the SSH daemon, which means the procedure for remediating this would be different (assuming it's even possible to do so).
In our official SK, SMB appliances aren't mentioned at all: https://support.checkpoint.com/results/sk/sk181833
In any case, please open a TAC case: https://help.checkpoint.com

@Amir_Ayalon

Re: Vulnerabilities detected by VA scan

BigHec — Thu, 04 Jan 2024 01:26:42 GMT

Hi @PhoneBoy,

We did checked the SMB firmware is installed with version R81.10.00.

I think I will proceed to open a TAC case for this

Thank you

Re: Vulnerabilities detected by VA scan

BigHec — Tue, 09 Jan 2024 07:54:34 GMT

Hi All,

Do anyone knows how to restart the SSHD service in a SMB device? Because I did some changes on the sshd file and I wanted to restart the service and try will the file take effect or not

Thanks alot!

Re: Vulnerabilities detected by VA scan

G_W_Albrecht — Tue, 09 Jan 2024 15:42:09 GMT

There is a supported way to configure this for SMB since 81.10.05:

[Expert@fifteenfifty]# clish

fifteenfifty> show ssh-
ssh-cipher - OpenSSH Cipher encryption
ssh-kex - OpenSSH KEX encryption
ssh-mac - OpenSSH MAC encryption
fifteenfifty> show ssh-cipher 
aes128-ctr
aes192-ctr
aes256-ctr
fifteenfifty> show ssh-mac 
hmac-sha1
hmac-sha2-256
hmac-sha2-512
fifteenfifty> show ssh-kex 
curve25519-sha256
curve25519-sha256@libssh.org
ecdh-sha2-nistp521
ecdh-sha2-nistp384
ecdh-sha2-nistp256
diffie-hellman-group14-sha256
diffie-hellman-group14-sha1
diffie-hellman-group16-sha512
diffie-hellman-group18-sha512
diffie-hellman-group-exchange-sha256

delete ssh-<encryption-category> algorithm <algorithm>

Example:

delete ssh-cipher algorithm aes128-cbc

https://sc1.checkpoint.com/documents/SMB_R81.10.X/CLI/EN/Content/Topics/delete-ssh-encryption-category-algorithm.htm?tocpath=Working%20with%20OpenSSH%20Encryption%20Algorithms%7C_____2

In lower firmware version there is no possibility to exclude a cipher, MAC or KEX as it uses dropbear created for embedded devices...

Re: Vulnerabilities detected by VA scan

BigHec — Wed, 10 Jan 2024 03:30:57 GMT

Hi @G_W_Albrecht,

This is what I'm looking for. Thank you so much on this.

And I have another thing is that the vulnerability tools also scanned vulnerability related to the CVE-2023-48795 on port 22, which is the "chacha20-poly1305" cipher.

Is the cipher need to disable by using the "cipher_util"? Because I can't seems to find it when using the "show ssh-cipher" command when list out all the ciphers for the SMB device.

Found the sk181833 but I think it is for Enterprise appliances and it did not officially mention it is applicable for SMB device.

Any idea on this?

Appreciate for the help.