Re: Vulnerabilities detected by VA scan

BigHec · ‎2024-01-03

Hi All,

Recently we did a VA scan on one of our SMB device and there is one vulnerabilities listed below:

"Diffie-Hellman Ephemeral Key Exchange DoS Vulnerability (SSH, D(HE)ater) (CVSS: 7.5)"

I did not found any related fix on the SK but I went on some research, it seems like need to disable the Diffie-Hellman Key exchange method in the file name "sshd_config".

For normal appliance the path for "sshd_config" file will be /etc/ssh/sshd_config

But for SMB, screenshot below is what I got when trying to find the file:

It seems like the "ssh" has a symbolic link to "/var/ssh/" but the "ssh" folder is not in the "/var".

Does anyone has any idea on this?

Appreciate for the help!

Martin_Valenta · ‎2024-01-03

check this

Expert# cpwd_admin list
APP PID STAT #START START_TIME MON COMMAND
SSHD 3554 E 1 [13:26:19] 3/12/2023 N /pfrm2.0/bin/sshd -f /pfrm2.0/etc/sshd_config

BigHec · ‎2024-01-03

Hi Martin,

This is all I'm able to see when running cpwd_admin list command

PhoneBoy · ‎2024-01-03

Only in the most recent SMB firmware releases (R81.10.xx) is OpenSSH used.
In other releases, Dropbear is used as the SSH daemon, which means the procedure for remediating this would be different (assuming it's even possible to do so).
In our official SK, SMB appliances aren't mentioned at all: https://support.checkpoint.com/results/sk/sk181833
In any case, please open a TAC case: https://help.checkpoint.com

@Amir_Ayalon

BigHec · ‎2024-01-03

Hi @PhoneBoy,

We did checked the SMB firmware is installed with version R81.10.00.

I think I will proceed to open a TAC case for this

Thank you

BigHec · ‎2024-01-08

Hi All,

Do anyone knows how to restart the SSHD service in a SMB device? Because I did some changes on the sshd file and I wanted to restart the service and try will the file take effect or not

Thanks alot!

G_W_Albrecht · ‎2024-01-09

There is a supported way to configure this for SMB since 81.10.05:

[Expert@fifteenfifty]# clish

fifteenfifty> show ssh-
ssh-cipher - OpenSSH Cipher encryption
ssh-kex - OpenSSH KEX encryption
ssh-mac - OpenSSH MAC encryption
fifteenfifty> show ssh-cipher 
aes128-ctr
aes192-ctr
aes256-ctr
fifteenfifty> show ssh-mac 
hmac-sha1
hmac-sha2-256
hmac-sha2-512
fifteenfifty> show ssh-kex 
curve25519-sha256
curve25519-sha256@libssh.org
ecdh-sha2-nistp521
ecdh-sha2-nistp384
ecdh-sha2-nistp256
diffie-hellman-group14-sha256
diffie-hellman-group14-sha1
diffie-hellman-group16-sha512
diffie-hellman-group18-sha512
diffie-hellman-group-exchange-sha256

delete ssh-<encryption-category> algorithm <algorithm>

Example:

delete ssh-cipher algorithm aes128-cbc

https://sc1.checkpoint.com/documents/SMB_R81.10.X/CLI/EN/Content/Topics/delete-ssh-encryption-catego...

In lower firmware version there is no possibility to exclude a cipher, MAC or KEX as it uses dropbear created for embedded devices...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

BigHec · ‎2024-01-09

Hi @G_W_Albrecht,

This is what I'm looking for. Thank you so much on this.

And I have another thing is that the vulnerability tools also scanned vulnerability related to the CVE-2023-48795 on port 22, which is the "chacha20-poly1305" cipher.

Is the cipher need to disable by using the "cipher_util"? Because I can't seems to find it when using the "show ssh-cipher" command when list out all the ciphers for the SMB device.

Found the sk181833 but I think it is for Enterprise appliances and it did not officially mention it is applicable for SMB device.

Any idea on this?

Appreciate for the help.

Are you a member of CheckMates?

Vulnerabilities detected by VA scan