09-15-2009 12:03 PM - edited 03-10-2019 04:41 PM
McAffee scan of acs 1113 appliance running the 4.2 build 124 patch 12 version reports that a medium vulnerability exists because the system has SSH version 1. Any way to specify only version 2 or turn off SSH
09-15-2009 12:35 PM
The ACS is a closed system and SSH does not allow access to the Operating System; its only use is for RDBMS synchronization.
We cannot manage the ACS via SSH like console. This port has been opened only to support "Programmatic interface for RDBMSync".
Any SSH client can communicate appliance with administrator credentials and
execute only below commands.
Command Description
----------------------------------------------------
? List commands
exit Log off
help List commands
csdbsync -syncnow RDBMS synchronization
It is not possible to take control of the appliance by exploiting SSH vulnerability.
Regards,
~JG
Do rate helpful posts
09-15-2009 01:08 PM
Thanks for the reply.
Assuming we do not want to do RDBMS synchronization, can the ssh be disable or can the version be changed to version 2?
Regards,
VC
09-15-2009 01:58 PM
HI VC,
Currently there is no way we can change ver to 2 and to disable SSH on the appliance.
Regards,
~JG
Do rate helpful posts
09-16-2009 08:05 AM
JG,
If this ssh version 1 vulnerability was exploited and an unauthorized user gained access to the ssh interface, could they do harm by loading a bogus configuration into the ACS server and/or export the existing configuration which would leave the network infrastructure extremely vulnerable at that point?
09-16-2009 08:22 AM
Hi,
No, it is not possible to change config using ssh vulnerability.
With SSH you will get ONLY following options,
Command Description
----------------------------------------------------
? List commands
exit Log off
help List commands
csdbsync -syncnow RDBMS synchronization
So there is no way to make any config change or gain access to config using SSH. I would suggest you to ssh to appliance and explore these options.
Regards,
~JG
Do rate helpful posts
09-20-2009 12:53 AM
As explained, this doesnt really concerns the ACS as there is nothing you can do over SSH besides RDBMS config anyways.
If you need CLI, you need a console on the ACS, as simple as that.
09-21-2009 05:33 AM
Ok. Thanks for he responses.
02-07-2012 01:08 PM
One of our audits lists this(ssh) as a vulnerability. I wanted to either either force SSH v2 or turn it off al together like my friend above. Your explanation on the controls or lack of controls in SSH is very helpful.
02-08-2012 11:02 AM
Hello Zac,
CSCsk44379 ACS to Support OpenSSH 4.7 for Remote invocation of CSdbSync
Unfortunately the bug has been Closed and no further investigation/development will be enforced in order to address the ACS SSHv1 issue. The explanation is as follows:
"The main reason for asking for upgrade of ssh library is "X11 session hijacking" attack that was identified in OpenSSH4.6.
ACS SE is Not vulnerable to this attack because ACS SE is closed box and invoking x-windows from it is not possible."
There is no way to disable SSH on the ACS SE at the moment.
If this was helpful please rate.
Regards.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide