Rapid7 encouraged owners of its Nexpose appliances this week to apply an update to their systems to tweak how SSH is configured by default.
The company warned on Wednesday the devices were shipped with an SSH configuration that could have let some obsolete KEX, encryption and MAC algorithms be used for key exchange.
Nexpose devices are preconfigured servers, deployed in server racks, designed to help users gauge vulnerabilities, manage vulnerability data, and limit threat exposure. All physical Nexpose appliances are affected per a disclosure by Samuel Huckins, a program manager with the company, published on Wednesday.
— Rapid7 (@rapid7) May 31, 2017
Liam Somerville, a researcher based in Scotland, discovered the vulnerability (CVE-2017-5243) and reported it to the company three weeks ago.
Nothing needs to be downloaded to resolve the issue, but a file does need to edited, Rapid7 said. According to Huckins, to fix the vulnerability a user with root access has to edit /etc/ssh/sshd_config in the appliance to ensure only modern ciphers, key exchange, and MAC algorithms are accepted. This should lessen the likelihood of any attacks involving authentication.
Prior to the fix, weak and out of date encryption algorithms such as AES192-CBC, Blowfish-CBC, and 3DES-CBC, and KEX algorithms such as diffie-hellman-group-exchange-sha1, could have been enabled.
“This change should not impact connections from Nexpose instances to the physical appliance. The main impact is shoring up access by SSH clients such that they cannot connect to the appliance using obsolete algorithms,” Huckins wrote.