Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
umar7
Contributor

ssh weak cipher and TLS1.0 ,TLS1.1

HI team,

The management server is still responding on weak ciphers and depreciated TLS ver 1 & 1.1

 

Plugin

Plugin Name

Family

Severity

Protocol

Port

Exploit?

Repository

Plugin Output

Synopsis

157288

TLS Version 1.1 Protocol Deprecated

Service detection

Medium

TCP

443

No

Individual Scan

Plugin Output: TLSv1.1 is enabled and the server supports at least one cipher.

The remote service encrypts traffic using an older version of TLS.

153953

SSH Weak Key Exchange Algorithms Enabled

Misc.

Low

TCP

22

No

Individual Scan

Plugin Output:
The following weak key exchange algorithms are enabled :

  diffie-hellman-group1-sha1

The remote SSH server is configured to allow weak key exchange algorithms.

104743

TLS Version 1.0 Protocol Detection

Service detection

Medium

TCP

443

No

Individual Scan

Plugin Output: TLSv1 is enabled and the server supports at least one cipher.

The remote service encrypts traffic using an older version of TLS.

 

 

As suggested, we updated the ssl.conf file content as mentioned in the SK article sk147272:

 

jeyakumar_0-1671162851969.png

 

 

 

Sshd config file content changed as per sk106031

jeyakumar_1-1671162851971.png

can i get how can remediate this ?

the modification done by SMS and SG also and still its shows like this.

may i know am i did any wrong ?what is the next plan of action

 

0 Kudos
16 Replies
Chris_Atkinson
Employee
Employee

Which version/JHF of Management is used here?

Where the processes restarted after per the instructions?

0 Kudos
umar7
Contributor

gaia os R80.40 take 125

0 Kudos
Chris_Atkinson
Employee
Employee

Just to confirm this is a distributed deployment with separate SG / SMS...

How is the following currently set?

TLS.png

(Ignore if management) 

0 Kudos
umar7
Contributor

hello chris

yes, we have set this value as TLS 1.2 and did install database

0 Kudos
Chris_Atkinson
Employee
Employee

Can you please share the output of:

"show configuration ssl tls" 

0 Kudos
umar7
Contributor

local configuration.PNG

0 Kudos
Chris_Atkinson
Employee
Employee

That looks like a Gateway, not the Management - which has the issue?

0 Kudos
umar7
Contributor

hello chris ,

this is management i just chenged the hostname .

0 Kudos
the_rock
Legend
Legend

I think thats default output...I tested in R80.40, R81.10 and R81.20, same thing.

0 Kudos
_Val_
Admin
Admin

Silly question, but did you actually reboot the device after all changes?

0 Kudos
(1)
umar7
Contributor

no that is in production network. we have to gone thru lot of permission to reboot the device . but we have tried to restart the ssh and httpd2 service after modifications done on the sms . is there any possible way to resolve the vulnerability  

0 Kudos
Chris_Atkinson
Employee
Employee

The SK provides the instructions, if those aren't working when followed fully (including reboot) please contact/consult TAC.

0 Kudos
umar7
Contributor

thank you for your reply

0 Kudos
_Val_
Admin
Admin

Rebooting the management server does not affect production operations, other than a very short availability of the management server itself. I am pretty sure, if you open a TAC request, they will ask for that anyway.

0 Kudos
umar7
Contributor

hello val,

thanks for the update.i have created the case with TAC already.

i will try to do the reboot device .

0 Kudos
the_rock
Legend
Legend

Dont bother rebooting, its never needed for this. All you do is enable/disable the cipher you want, save config, thats it.

0 Kudos