Symptoms or Error
BUG0217580 addressed an SSH vulnerability (CVE-2008-5161) involving when CBC algorithms are used in SSH connections (CBC Mode Plaintext Recovery Vulnerability). The bug was reported when NetScaler 10.0 was still the newest version as NetScaler shipped with an affected version of OpenSSH.?? The NetScaler bug fix addresses the issue by forcing a different family of ciphers (AES CTR) to be favored and by adding countermeasures that make any CBC-vectored attack infeasible. Fresher builds of newer NetScaler versions (10.1, 10.5, 11.0) would have inherited these fixes.
However, though the related vulnerability cannot be exploited, there have been reports of customers opening a case on this concern as their NetScaler is flagging for the vulnerability.??In this example security scan, nmap executed against the NetScaler 11.0 build 64.34 appliance (NSIP 192.168.1.1) shows SSH encryption algorithms that include those that are based on CBC and MAC algorithms based on md5 and 96-bit.
c:\> nmap -script ssh2-enum-algos 192.168.1.1 Starting Nmap 7.11 ( https://nmap.org ) at 2016-03-25 16:35 Eastern Daylight Time Nmap scan report for 192.168.1.1 Host is up (0.0012s latency). [OUTPUT TRUNCATED FOR BREVITY] |???? encryption_algorithms: (13) |???????????? aes128-ctr |???????????? aes192-ctr |???????????? aes256-ctr |???????????? arcfour256 |???????????? arcfour128 |???????????? aes128-cbc |???????????? 3des-cbc |???????????? blowfish-cbc |???????????? cast128-cbc |???????????? aes192-cbc |???????????? aes256-cbc |???????????? arcfour |???????????? rijndael-cbc@lysator.liu.se |???? mac_algorithms: (9) |?????????? ??hmac-md5 |???????????? hmac-sha1 |???????????? umac-64@openssh.com |???????????? hmac-sha2-256 |???????????? hmac-sha2-512 |???????????? hmac-ripemd160 |???????????? hmac-ripemd160@openssh.com |???????????? hmac-sha1-96 |???????????? hmac-md5-96
??
Solution
Though the NetScaler is protected by bugfix from an attack using the aforementioned exploit, false positive security scans can still serve as a thorn of annoyance for a customer.?? Therefore, a customer can take additional steps to reconfigure SSH so that future scans do not flag as false positives for the issue.
ADVISORY: These changes should only be attempted through the CONSOLE SESSION to prevent loss of access to the NetScaler.??Additionally, older versions of Java may fail to connect to the NetScaler 10.5 or 10.1 GUI if the NetScaler modified with these changes.
??
1) If the file sshd_config does not already exist in /nsconfig on the NetScaler, then copy the default version of the file to /nsconfig:??
cp /etc/sshd_config /nsconfig/sshd_config
??
2) Modify sshd_config to ADD the following lines below to the end of the text (DO NOT REPLACE THE EXISTING TEXT, ONLY APPEND THE SUGGESTED TEXT):
Ciphers aes128-ctr,aes192-ctr,aes256-ctr MACs hmac-sha1,hmac-ripemd160
3) Restart SSHD by killing the process. Note: The marks at the beginning and end of cat /var/run/sshd.pid are back quotes
root# kill -HUP `cat /var/run/sshd.pid`
4) Ciphers reported by nmap should now reflect the new configuration.
[OUTPUT TRUNCATED FOR BREVITY] |???? encryption_algorithms: (3) |???????????? aes128-ctr |???????????? aes192-ctr |???????????? aes256-ctr |???? mac_algorithms: (2) |???????????? hmac-sha1 |???????????? hmac-ripemd160
Problem Cause
The NetScaler is flagging for the vulnerability??likely because probes against the NetScaler NSIP using tools like nmap might still result in a report that the NetScaler is using vulnerable SSH ciphers. Typically, quick security scans will not actually attempt??to explicitly??verify??the undesired cipher can be successfully utilized for an actual ssh connection and subsequent exploit. The scan result might also include an additional flag for enabled weak MAC algorithms (based on md5 or 96-bit) but without trying to use the weak algorithms either.
Additional Resources
http://support.ctx.org.cn/CTX124551.citrix -??http://support.ctx.org.cn/CTX124551.citrix
Supporto Citrix
Traduzione automatica
Questo articolo ??¨ stato tradotto da un sistema di traduzione automatica e non ??¨ stata valutata da persone. Citrix fornisce traduzione automatica per aumentare l'accesso per supportare contenuti; tuttavia, articoli automaticamente tradotte possono possono contenere degli errori. Citrix non ??¨ responsabile di incongruenze, errori o danni derivanti dell'uso di articoli automaticamente tradotte.
Citrix技術支持
自動翻譯
這篇文章被翻譯由一個自動翻譯系統,並沒有受到人們的審查。 Citrix提供自動翻譯,增加獲得支持的內容;但是,自動翻譯的文章可能可以包含錯誤。思傑不負責不一致,錯誤或損壞因使用自動翻譯的文章的結果。
Поддержка Citrix
Tradução automática
Эта статья была переведена автоматической системой перевода и не был рассмотрен людьми. Citrix обеспечивает автоматический перевод с целью расширения доступа для поддержки контента; Однако, автоматически переведенные статьи могут может содержать ошибки. Citrix не несет ответственности за несоответствия, ошибки, или повреждения, возникшие в результате использования автоматически переведенных статей.
시트릭스 지원
자동 번역
이 문서 자동 번역 시스템에 의해 번역 된 사람들에 의해 검토되지 않았다. 시트릭스는 컨텐츠를 지원하기 위해 접근을 높이기 위해 자동 번역을 제공합니다; 그러나, 자동으로 번역 기사 오류를 포함 할 수있다. 시트릭스는 자동으로 번역 된 기사의 사용의 결과로 발생하는 불일치, 오류 또는 손해에 대해 책임을지지 않습니다.