search cancel

Weak key exchange algorithms enabled in OI

book

Article ID: 244074

calendar_today

Updated On:

Products

DX Operational Intelligence

Issue/Introduction

A vulnerability showed up in a security scan affecting all of our OI systems.  Can you please verify if this is related to OI?

The following weak key exchange algorithms are enabled : 

diffie-hellman-group-exchange-sha1
diffie-hellman-group1-sha1

Description
The remote SSH server is configured to allow key exchange algorithms which are considered weak. This is based on the IETF draft document Key Exchange (KEX) Method Updates and Recommendations for Secure Shell (SSH) draft-ietf-curdle-ssh-kex-sha2-20. Section 4 lists guidance on key exchange algorithms that SHOULD NOT and MUST NOT be enabled. This includes: diffie-hellman-group-exchange-sha1 diffie-hellman-group1-sha1 gss-gex-sha1-* gss-group1-sha1-* gss-group14-sha1-* rsa1024-sha1 Note that this plugin only checks for the options of the SSH server, and it does not check for vulnerable software versions.

Solution
Contact the vendor or consult product documentation to disable the weak algorithms.

Environment

Release : 21.3

Component : CA DOI Foundations - DEFAULT

Resolution

Question: Will OI have issues if both of these algorithms were to be disabled?

diffie-hellman-group-exchange-sha1
diffie-hellman-group1-sha1

Answer: 

There will not be any issues for OI if these two algorithms are disabled

 

  Description says about ssh server. Dxi Installer does not install or manage ssh server.

  Installer package has 2 sh files that can use ssh command to connect to some server: uninstall-dxi.sh and dxi-es-admin.sh. It is customer's responsibility to setup and configure the server, scripts are using only client on the host.