Upgrade to OpenSSH 7.0 for ILOM — oracle-tech

    Forum Stats

  • 3,714,733 Users
  • 2,242,615 Discussions


Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upgrade to OpenSSH 7.0 for ILOM

3574183 Member Posts: 4
edited April 2018 in Oracle x86 Servers

Hi All,

We did scan on our ilom's and found a vulnerability and a solution was provided for an upgrade of ssh.


The SSH server running on the remote host is affected by a security bypass vulnerability that allows password brute-force attacks.


The remote SSH server is affected by a security bypass vulnerability due to a flaw in the keyboard-interactive authentication mechanisms.

The kbdint_next_device() function in auth2-chall.c improperly restricts the processing of keyboard-interactive devices within a single connection. A remote attacker can exploit this, via a crafted keyboard-interactive 'devices' string, to bypass the normal restriction of 6 login attempts (MaxAuthTries), resulting in the ability to conduct a brute-force attack or cause a denial of service condition.


Upgrade to OpenSSH 7.0 or later.

Alternatively, this vulnerability can be mitigated on some Linux distributions by disabling the keyboard-interactive authentication method. This can be done on Red Hat Linux by setting 'ChallengeResponseAuthentication' to 'no' in the /etc/ssh/sshd_config configuration file and restarting the sshd service.


Server model: X4270M2, X3_2L

My question now  is, do we have any mitigation method to avoid this vulnerability. Instead of upgrading the ILOM  openssh to 7.0

If no, does anyone have the procedure to upgrade the OpenSSH on ILOM ?

Thanks in advance for any suggestions.




  • Nik
    Nik Member Posts: 2,732 Bronze Crown
    edited April 2018


    You can not separate update SSH on ILOM.

    You can try update whole ILOM for this server.

      (Check what version ILOM currently installed and what version is available on support.oracle.com).

    Problem for security on managment interface is persistent.

    Managment processor have limited resources, vendor focuse on internal function of device.

    For many old devices updates is not availalable.

    So you can resolve this problem from another side: create separate network for managment interfaces with limitate access ( Firewall or Server-gate).

    Security scan on managment interface for many devices can cause unpredictable problem. ( It can cause reboot on some arrays on hangs managment interface).



Sign In or Register to comment.