acs 1113 appliance version 4.2 ssh version 1

vcornett · ‎09-15-2009

McAffee scan of acs 1113 appliance running the 4.2 build 124 patch 12 version reports that a medium vulnerability exists because the system has SSH version 1. Any way to specify only version 2 or turn off SSH

Jagdeep Gambhir · ‎09-15-2009

The ACS is a closed system and SSH does not allow access to the Operating System; its only use is for RDBMS synchronization.

We cannot manage the ACS via SSH like console. This port has been opened only to support "Programmatic interface for RDBMSync".

Any SSH client can communicate appliance with administrator credentials and

execute only below commands.

Command Description

----------------------------------------------------

? List commands

exit Log off

help List commands

csdbsync -syncnow RDBMS synchronization

It is not possible to take control of the appliance by exploiting SSH vulnerability.

Regards,

~JG

Do rate helpful posts

vcornett · ‎09-15-2009

Thanks for the reply.

Assuming we do not want to do RDBMS synchronization, can the ssh be disable or can the version be changed to version 2?

Regards,

VC

Jagdeep Gambhir · ‎09-15-2009

HI VC,

Currently there is no way we can change ver to 2 and to disable SSH on the appliance.

Regards,

~JG

Do rate helpful posts

vcornett · ‎09-16-2009

JG,

If this ssh version 1 vulnerability was exploited and an unauthorized user gained access to the ssh interface, could they do harm by loading a bogus configuration into the ACS server and/or export the existing configuration which would leave the network infrastructure extremely vulnerable at that point?

Jagdeep Gambhir · ‎09-16-2009

Hi,

No, it is not possible to change config using ssh vulnerability.

With SSH you will get ONLY following options,

Command Description

----------------------------------------------------

? List commands

exit Log off

help List commands

csdbsync -syncnow RDBMS synchronization

So there is no way to make any config change or gain access to config using SSH. I would suggest you to ssh to appliance and explore these options.

Regards,

~JG

Do rate helpful posts

Lucien Avramov · ‎09-20-2009

As explained, this doesnt really concerns the ACS as there is nothing you can do over SSH besides RDBMS config anyways.

If you need CLI, you need a console on the ACS, as simple as that.

vcornett · ‎09-21-2009

Ok. Thanks for he responses.

zac ragoonath · ‎02-07-2012

One of our audits lists this(ssh) as a vulnerability. I wanted to either either force SSH v2 or turn it off al together like my friend above. Your explanation on the controls or lack of controls in SSH is very helpful.

camejia · ‎02-08-2012

Hello Zac,

CSCsk44379 ACS to Support OpenSSH 4.7 for Remote invocation of CSdbSync

Unfortunately the bug has been Closed and no further investigation/development will be enforced in order to address the ACS SSHv1 issue. The explanation is as follows:

"The main reason for asking for upgrade of ssh library is "X11 session hijacking" attack that was identified in OpenSSH4.6.

ACS SE is Not vulnerable to this attack because ACS SE is closed box and invoking x-windows from it is not possible."

There is no way to disable SSH on the ACS SE at the moment.

If this was helpful please rate.

Regards.