acs 1113 appliance version 4.2 ssh version 1

Unanswered Question
Sep 15th, 2009

McAffee scan of acs 1113 appliance running the 4.2 build 124 patch 12 version reports that a medium vulnerability exists because the system has SSH version 1. Any way to specify only version 2 or turn off SSH

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (2 ratings)
Loading.
Jagdeep Gambhir Tue, 09/15/2009 - 12:35

The ACS is a closed system and SSH does not allow access to the Operating System; its only use is for RDBMS synchronization.

We cannot manage the ACS via SSH like console. This port has been opened only to support "Programmatic interface for RDBMSync".

Any SSH client can communicate appliance with administrator credentials and

execute only below commands.

Command Description

----------------------------------------------------

? List commands

exit Log off

help List commands

csdbsync -syncnow RDBMS synchronization

It is not possible to take control of the appliance by exploiting SSH vulnerability.

Regards,

~JG

Do rate helpful posts

vcornett Tue, 09/15/2009 - 13:08

Thanks for the reply.

Assuming we do not want to do RDBMS synchronization, can the ssh be disable or can the version be changed to version 2?

Regards,

VC

Jagdeep Gambhir Tue, 09/15/2009 - 13:58

HI VC,

Currently there is no way we can change ver to 2 and to disable SSH on the appliance.

Regards,

~JG

Do rate helpful posts

vcornett Wed, 09/16/2009 - 08:05

JG,

If this ssh version 1 vulnerability was exploited and an unauthorized user gained access to the ssh interface, could they do harm by loading a bogus configuration into the ACS server and/or export the existing configuration which would leave the network infrastructure extremely vulnerable at that point?

Jagdeep Gambhir Wed, 09/16/2009 - 08:22

Hi,

No, it is not possible to change config using ssh vulnerability.

With SSH you will get ONLY following options,

Command Description

----------------------------------------------------

? List commands

exit Log off

help List commands

csdbsync -syncnow RDBMS synchronization

So there is no way to make any config change or gain access to config using SSH. I would suggest you to ssh to appliance and explore these options.

Regards,

~JG

Do rate helpful posts

Lucien Avramov Sun, 09/20/2009 - 00:53

As explained, this doesnt really concerns the ACS as there is nothing you can do over SSH besides RDBMS config anyways.

If you need CLI, you need a console on the ACS, as simple as that.

zac ragoonath Tue, 02/07/2012 - 13:08

One of our audits lists this(ssh) as a vulnerability. I wanted to either either force SSH v2 or turn it off al together like my friend above. Your explanation on the controls or lack of controls in SSH is very helpful.

camejia Wed, 02/08/2012 - 11:02

Hello Zac,

CSCsk44379    ACS to Support OpenSSH 4.7 for Remote invocation of CSdbSync

Unfortunately the bug has been Closed and no further investigation/development will be enforced in order to address the ACS SSHv1 issue. The explanation is as follows:

"The main reason for asking for upgrade of ssh library is "X11 session hijacking" attack that was identified in OpenSSH4.6.

ACS SE is Not vulnerable to this attack because ACS SE is closed box and invoking x-windows from it is not possible."

There is no way to disable SSH on the ACS SE at the moment.

If this was helpful please rate.

Regards.

Actions

This Discussion