topic acs 1113 appliance version 4.2 ssh version 1 in Network Access Control

acs 1113 appliance version 4.2 ssh version 1

vcornett — Sun, 10 Mar 2019 23:41:11 GMT

McAffee scan of acs 1113 appliance running the 4.2 build 124 patch 12 version reports that a medium vulnerability exists because the system has SSH version 1. Any way to specify only version 2 or turn off SSH

Re: acs 1113 appliance version 4.2 ssh version 1

Jagdeep Gambhir — Tue, 15 Sep 2009 19:35:12 GMT

The ACS is a closed system and SSH does not allow access to the Operating System; its only use is for RDBMS synchronization.

We cannot manage the ACS via SSH like console. This port has been opened only to support "Programmatic interface for RDBMSync".

Any SSH client can communicate appliance with administrator credentials and

execute only below commands.

Command Description

----------------------------------------------------

? List commands

exit Log off

help List commands

csdbsync -syncnow RDBMS synchronization

It is not possible to take control of the appliance by exploiting SSH vulnerability.

Regards,

~JG

Do rate helpful posts

Re: acs 1113 appliance version 4.2 ssh version 1

vcornett — Tue, 15 Sep 2009 20:08:54 GMT

Thanks for the reply.

Assuming we do not want to do RDBMS synchronization, can the ssh be disable or can the version be changed to version 2?

Regards,

Re: acs 1113 appliance version 4.2 ssh version 1

Jagdeep Gambhir — Tue, 15 Sep 2009 20:58:21 GMT

HI VC,

Currently there is no way we can change ver to 2 and to disable SSH on the appliance.

Regards,

~JG

Do rate helpful posts

Re: acs 1113 appliance version 4.2 ssh version 1

vcornett — Wed, 16 Sep 2009 15:05:24 GMT

JG,

If this ssh version 1 vulnerability was exploited and an unauthorized user gained access to the ssh interface, could they do harm by loading a bogus configuration into the ACS server and/or export the existing configuration which would leave the network infrastructure extremely vulnerable at that point?

Re: acs 1113 appliance version 4.2 ssh version 1

Jagdeep Gambhir — Wed, 16 Sep 2009 15:22:39 GMT

Hi,

No, it is not possible to change config using ssh vulnerability.

With SSH you will get ONLY following options,

Command Description

----------------------------------------------------

? List commands

exit Log off

help List commands

csdbsync -syncnow RDBMS synchronization

So there is no way to make any config change or gain access to config using SSH. I would suggest you to ssh to appliance and explore these options.

Regards,

~JG

Do rate helpful posts

Re: acs 1113 appliance version 4.2 ssh version 1

Lucien Avramov — Sun, 20 Sep 2009 07:53:38 GMT

As explained, this doesnt really concerns the ACS as there is nothing you can do over SSH besides RDBMS config anyways.

If you need CLI, you need a console on the ACS, as simple as that.

Re: acs 1113 appliance version 4.2 ssh version 1

vcornett — Mon, 21 Sep 2009 12:33:52 GMT

Ok. Thanks for he responses.

Re: acs 1113 appliance version 4.2 ssh version 1

zac ragoonath — Tue, 07 Feb 2012 21:08:25 GMT

One of our audits lists this(ssh) as a vulnerability. I wanted to either either force SSH v2 or turn it off al together like my friend above. Your explanation on the controls or lack of controls in SSH is very helpful.

Re: acs 1113 appliance version 4.2 ssh version 1

camejia — Wed, 08 Feb 2012 19:02:09 GMT

Hello Zac,

CSCsk44379 ACS to Support OpenSSH 4.7 for Remote invocation of CSdbSync

Unfortunately the bug has been Closed and no further investigation/development will be enforced in order to address the ACS SSHv1 issue. The explanation is as follows:

"The main reason for asking for upgrade of ssh library is "X11 session hijacking" attack that was identified in OpenSSH4.6.

ACS SE is Not vulnerable to this attack because ACS SE is closed box and invoking x-windows from it is not possible."

There is no way to disable SSH on the ACS SE at the moment.

If this was helpful please rate.

Regards.