Hi Keith,
According documentation for 5500 you cannot change KEX method for SSH server. You can only decide which method to use when you initiate SSH sessions to remote servers from the 5500 itself (e.g. when you use 5500 as a SSH client), but even in this case your choice is limited:
- diffie-hellman-group-exchange-sha1
- diffie-hellman-group1-sha1
- diffie-hellman-group14-sha1
You can see syntax of 'ssh2' command for more details. Seems like this device supports only those 3 DH groups and nothing more. Therefore even if KEX method change for a local server would be possible I don't think you can mitigate this vulnerability with the DH groups supported, neither of these will help you as CVE-2002-20001 recommends
DHE key exchange method to be disabled and the Elliptic Curve Diffie-Hellman method to be used as a workaround. And seems 5500 doesn't support ECDHE, at least I couldn't find any reference to it.Just my 2 cents, totally personal opinion: Management interfaces of network infrastructure devices normally are separated in an OOB network, so chances some of authorized personell will want to exploit this vulnerability is quite low... Also, this switch is EoL, I mention it to set realistic expectations about a patch taking into account this CVE has been created just couple of months ago.
------------------------------
Ivan Bondar
------------------------------
Original Message:
Sent: Jan 11, 2022 10:58 AM
From: Keith Chalmers
Subject: ssh KEX methods
Hi
Does anyone know if it's possible to configure key exchange methods for ssh? I have an A5500 EI switch that's throwing up vulnerabilities on our scanner because of this (see details below).
Thanks in advance
Details
Technical Details
The remote SSH server supports the following DHE KEX algorithm(s):
diffie-hellman-group1-sha1 diffie-hellman-group14-sha1 diffie-hellman-group-exchange-sha1
External Sources
The following external sources can help provide some more information on this vulnerability
https://www.researchgate.net/profile/Anton-Stiglic-2/publication/2401745_Security_Issues_in_the_Diffie-Hellman_Key_Agreement_Protocol
https://github.com/Balasys/dheater
Detection
Checks the supported KEX algorithms of the remote SSH server.
CVEs
This vulnerability covers the following CVEs:
CVE-2002-20001
------------------------------
Keith Chalmers
------------------------------