ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

SSH deprecated cryptographic settings - SOI Catalyst Container

book

Article ID: 187652

calendar_today

Updated On:

Products

CA Service Operations Insight (SOI)

Issue/Introduction

We're running SOI 4.2 with SO07205-WIN-SOI-4.2-JAN-2019-MONTHLY UPDATE KIT installed

Our security department informed us that some vulnerabilities have been found on two types of SOI connectors; Specifically the UIM CatalystContainer connector and the SNMP CatalystContainer connector.

Port 8101 TCP is involved; referring to SSH

The online publication about it is shown below:

Avoid using deprecated cryptographic settings.
Use best practices when configuring SSH.
Refer to
"https://csrc.nist.gov/publications/detail/nistir/7966/final"
Security of Interactive and Automated Access Management Using Secure Shell (SSH) .

 Settings currently considered deprecated:

  1.  Ciphers using CFB of OFB
        Very uncommon, and deprecated because of weaknesses compared to newer cipher chaining modes such as CTR or GCM
  2. RC4 cipher (arcfour, arcfour128, arcfour256)
        The RC4 cipher has a cryptographic bias and is no longer considered secure
  3. Ciphers with a 64-bit block size (DES, 3DES, Blowfish, IDEA, CAST)
        Ciphers with a 64-bit block size may be vulnerable to birthday attacks (Sweet32)
  4. Key exchange algorithms using DH group 1 (diffie-hellman-group1-sha1, gss-group1-sha1-*)
        DH group 1 uses a 1024-bit key which is considered too short and vulnerable to Logjam-style attacks
  5. Key exchange algorithm "rsa1024sha1"
        Very uncommon, and deprecated because of the short RSA key size
  6. MAC algorithm "umac-32"
        Very uncommon, and deprecated because of the very short MAC length
  7. Cipher "none"
        This is available only in SSHv1

At the moment we do not know which of the above applies to the two mentioned SOI connectors.

Several files were found referring to port 8101. Like:
CA\Catalyst\CatalystConnector\registry\topology\physical\a-swrtr80121_CatalystConnector\catalyst-features.xml
CA\Catalyst\CatalystConnector\container\system\org\apache\karaf\assemblies\features\standard\2.2.5\standard-2.2.5-features.xml
CA\Catalyst\CatalystConnector\container\registry-cache\__topology__physical__a-swrtr80121_CatalystConnector__catalyst-features.xml
CA\Catalyst\CatalystConnector\container\etc\org.apache.karaf.shell.cfg
CA\Catalyst\CatalystConnector\container\data\cache\org.eclipse.osgi\bundles\5\data\config\org\apache\karaf\shell.config
CA\Catalyst\CatalystConnector\connector_registry\topology\physical\a-swrtr80121_CatalystConnector\catalyst-features.xml

Please have a look at let us know what configuration changes we can make to get rid of this vulnerability.

Environment

Service Operations Insight (SOI) Manager: 4.2

Catalyst Container 3.x

Resolution

Please disable SSHD as mentioned below on the Catalyst Container server
 
1) Disable SSHd server with no side-effect in Catalyst container by commenting this line:

       org/apache/karaf/shell/org.apache.karaf.shell.ssh/2.2.5/org.apache.karaf.shell.ssh-2.2.5.jar=30
  
       FileName: \Catalyst\CatalystConnector\container\etc\startup.properties
 
2) Restart "CA Catalyst Container" services