- 3,714,733 Users
- 2,242,615 Discussions
- 7,845,032 Comments
Forum Stats
Discussions
Categories
- Industry Applications
- 3.2K Intelligent Advisor
- Insurance
- 1K On-Premises Infrastructure
- 362 Analytics Software
- 32 Application Development Software
- 1.7K Cloud Platform
- 700.5K Database Software
- 17.4K Enterprise Manager
- 7 Hardware
- 166 Infrastructure Software
- 89 Integration
- 52 Security Software
Upgrade to OpenSSH 7.0 for ILOM
Hi All,
We did scan on our ilom's and found a vulnerability and a solution was provided for an upgrade of ssh.
---------------------------------------------------------------------------------------------------------------------------------------
The SSH server running on the remote host is affected by a security bypass vulnerability that allows password brute-force attacks.
Description:
The remote SSH server is affected by a security bypass vulnerability due to a flaw in the keyboard-interactive authentication mechanisms.
The kbdint_next_device() function in auth2-chall.c improperly restricts the processing of keyboard-interactive devices within a single connection. A remote attacker can exploit this, via a crafted keyboard-interactive 'devices' string, to bypass the normal restriction of 6 login attempts (MaxAuthTries), resulting in the ability to conduct a brute-force attack or cause a denial of service condition.
Solution:
Upgrade to OpenSSH 7.0 or later.
Alternatively, this vulnerability can be mitigated on some Linux distributions by disabling the keyboard-interactive authentication method. This can be done on Red Hat Linux by setting 'ChallengeResponseAuthentication' to 'no' in the /etc/ssh/sshd_config configuration file and restarting the sshd service.
---------------------------------------------------------------------------------------------------------------------------------------
Server model: X4270M2, X3_2L
My question now is, do we have any mitigation method to avoid this vulnerability. Instead of upgrading the ILOM openssh to 7.0
If no, does anyone have the procedure to upgrade the OpenSSH on ILOM ?
Thanks in advance for any suggestions.
Regards,
Priyanka
Answers
-
Hi.
You can not separate update SSH on ILOM.
You can try update whole ILOM for this server.
(Check what version ILOM currently installed and what version is available on support.oracle.com).
Problem for security on managment interface is persistent.
Managment processor have limited resources, vendor focuse on internal function of device.
For many old devices updates is not availalable.
So you can resolve this problem from another side: create separate network for managment interfaces with limitate access ( Firewall or Server-gate).
Security scan on managment interface for many devices can cause unpredictable problem. ( It can cause reboot on some arrays on hangs managment interface).
Regards,
Nik.