04-18-2019 02:12 PM
An internal scan of our phones has resulted in a finding that phones reject an ssh connection when the SSH is disabled. I would expect the phone to not respond to ssh requests if it is disabled as opposed to rejecting the connection on port 22. Is there any way to enforce the device not to respond to ssh requests instead of rejecting them?
We have tested by enabling the ssh on a phone and we get a prompt for creds, when disabled we get a connection refused.
Thanks,
Joe
04-18-2019 11:48 PM
04-19-2019 06:43 AM
After more discussion the actual "vulnerability's" that are exposed are the following:
Dropbear SSH Multiple Security Vulnerabilities and Deprecated SSH Cryptographic Settings...
Per CSCug65382 there is no workaround for Dropbear and I don't think any loads have been release for phones that remove the following keys diffie-hellman-group1-sha1 cipher 3des-cbc cipher blowfish-cbc.
Not sure how to proceed other than the ACL.
04-20-2019 11:40 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide