Weak key exchange algorithms enabled in NetOps Performance Management
search cancel

Weak key exchange algorithms enabled in NetOps Performance Management

book

Article ID: 236962

calendar_today

Updated On:

Products

CA Performance Management - Usage and Administration DX NetOps

Issue/Introduction

This shows up in the security scan, can you check if this is CAPM related.

Plugin Output:  The following weak key exchange algorithms are enabled : 

  diffie-hellman-group-exchange-sha1
  diffie-hellman-group1-sha1

The remote SSH server is configured to allow key exchange algorithms which are considered weak. This is based on the IETF draft document Key Exchange (KEX) Method Updates and Recommendations for Secure Shell (SSH) draft-ietf-curdle-ssh-kex-sha2-20. Section 4 lists guidance on key exchange algorithms that SHOULD NOT and MUST NOT be enabled. This includes:

  diffie-hellman-group-exchange-sha1
  diffie-hellman-group1-sha1
  gss-gex-sha1-*
  gss-group1-sha1-*
  gss-group14-sha1-*
  rsa1024-sha1

Note that this plugin only checks for the options of the SSH server, and it does not check for vulnerable software versions.

Does the DX NetOps Performance Management release and any of its component systems enable weak key exchange diffie-hellman-group algorithm?

Nessau scanning tools were used to find the problem.

Environment

All supported DX NetOps Performance Management releases

Cause

  • Triggered by findings from:
    • Data Repository (DR) use of OS SSH server tools.
    • Data Aggregator (DA) and Data Collector (DC) systems running 21.2.2 and older releases
      • The DA/DC karaf process has its own internal sshd service
      • Uses karaf sshd port 8501/8601

Resolution

How can we remediate this concern?

  • Data Repository (DR)
    • The SSH server Vertica uses is an OS tool.
    • Neither Broadcom nor Vertica database installers install, update or manage it.
    • It's used by Vertica but not owned by it.
    • Consult with system administrators or OS Vendor for input on remediation steps.
  • Data Aggregator (DA) and Data Collector (DC)
    • Only present in 21.2.2 and older releases.
    • Remediated in 21.2.3+ releases which include an update to the karaf version.
    • The new karaf version allows locking down internal sshd and puts in place the user of better algorithms.
    • If running a version 21.2.2 or older upgrade the DA and/or DC(s) involved to remediate the problem.