SSH Configuration on Nexpose Servers Allowed Weak Encryption Algorithms

Rapid7 encouraged owners of its Nexpose appliances this week to apply an update to their systems to tweak how SSH is configured by default.

The company warned on Wednesday the devices were shipped with an SSH configuration that could have let some obsolete KEX, encryption and MAC algorithms be used for key exchange.

Nexpose devices are preconfigured servers, deployed in server racks, designed to help users gauge vulnerabilities, manage vulnerability data, and limit threat exposure. All physical Nexpose appliances are affected per a disclosure by Samuel Huckins, a program manager with the company, published on Wednesday.

Liam Somerville, a researcher based in Scotland, discovered the vulnerability (CVE-2017-5243) and reported it to the company three weeks ago.

Nothing needs to be downloaded to resolve the issue, but a file does need to edited, Rapid7 said. According to Huckins, to fix the vulnerability a user with root access has to edit /etc/ssh/sshd_config in the appliance to ensure only modern ciphers, key exchange, and MAC algorithms are accepted. This should lessen the likelihood of any attacks involving authentication.

Prior to the fix, weak and out of date encryption algorithms such as AES192-CBC, Blowfish-CBC, and 3DES-CBC, and KEX algorithms such as diffie-hellman-group-exchange-sha1, could have been enabled.

“This change should not impact connections from Nexpose instances to the physical appliance. The main impact is shoring up access by SSH clients such that they cannot connect to the appliance using obsolete algorithms,” Huckins wrote.

from Threatpost – English – Global – thr… http://bit.ly/2rzQoBk
via IFTTT

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s