Sun Microsystems, Inc.  Oracle System Handbook - ISO 7.0 May 2018 Internal/Partner Edition
   Home | Current Systems | Former STK Products | EOL Systems | Components | General Info | Search | Feedback

Asset ID: 1-72-2349308.1
Update Date:2018-01-17
Keywords:
Solution Type  Problem Resolution Sure

Solution  2349308.1 :   Oracle ZFS Storage Appliance: Nessus (security scan) has detected that ZFSSA is configured to use Arcfour stream cipher  

Related Items 
    

  • Sun ZFS Storage 7420
    •  
  • Oracle ZFS Storage ZS5-2
    •  
  • Oracle ZFS Storage ZS3-2
    •  
  • Oracle ZFS Storage ZS4-4
    •  
  • Oracle ZFS Storage ZS5-4
    •  
  • Oracle ZFS Storage ZS3-4
    •  
  • Sun ZFS Storage 7120
    •  
  • Sun ZFS Storage 7320
    •  
  • Oracle ZFS Storage ZS3-BA
    •  
Related Categories 
    

  • PLA-Support>Sun Systems>DISK>ZFS Storage>SN-DK: ZS
    •  






In this Document


Symptoms


Changes


Cause


Solution


References


Applies to:  

Oracle ZFS Storage ZS5-4 - Version All Versions and later
Oracle ZFS Storage ZS5-2 - Version All Versions and later
Oracle ZFS Storage ZS4-4 - Version All Versions and later
Oracle ZFS Storage ZS3-4 - Version All Versions and later
Oracle ZFS Storage ZS3-2 - Version All Versions and later
7000 Appliance OS (Fishworks)



Symptoms


Product Name : ZS3-2
Product version : Running 2013.1.6.5


Details of the issue/question:


After a vulnerability assessment revealed some security issues on ZFS storage:


 - For ssh services:  Nessus has detected that the remote SSH server is configured to use the Arcfour stream cipher or no cipher at all.  RFC 4253 advises against using Arcfour due to an issue with weak keys.


Action: Contact the vendor or consult product documentation to remove the weak ciphers.


 


TSC Analysis


Reference:  https://vulners.com/nessus/SSH_WEAK_ENCRYPTION_ALGORITHMS.NASL


SSH Weak Algorithms Supported
2016-04-04 00:00:00


ID SSH_WEAK_ENCRYPTION_ALGORITHMS.NASL
Type nessus
Reporter Tenable
Modified 2016-12-14 00:00:00


Description
Nessus has detected that the remote SSH server is configured to use the Arcfour stream
cipher or no cipher at all. RFC 4253 advises against using Arcfour due to an issue with weak keys.


NASL Family
Misc.


References : https://tools.ietf.org/html/rfc4253#section-6.


 




Researching contents of '/etc/ssh/sshd_config' for various ZFSSA AK releases:


7320 running 2013.1.6.2




s7320-brm06-b-h0# cat /etc/ssh/sshd_config
#
# Copyright (c) 2010, 2015, Oracle and/or its affiliates. All rights reserved.
#


Protocol 2
Port 22
ListenAddress ::
AllowTcpForwarding no
GatewayPorts no
X11Forwarding no
X11DisplayOffset 10
X11UseLocalhost yes
PrintMotd no
KeepAlive yes
SyslogFacility auth
LogLevel info


HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
ServerKeyBits 768
KeyRegenerationInterval 3600
StrictModes yes
LoginGraceTime 120
MaxAuthTries 6
MaxAuthTriesLog 3
PermitEmptyPasswords no
PasswordAuthentication yes
PermitRootLogin yes
LookupClientHostnames no
HostbasedUsesNameFromPacketOnly yes
MaxStartups 50:30:100




 


ZS5-2 running 2013.1.6.11




zs5-2-brm06-b-h0# cat /etc/ssh/sshd_config
#
# Copyright (c) 2010, 2015, Oracle and/or its affiliates. All rights reserved.
#


Protocol 2
Port 22
ListenAddress ::
AllowTcpForwarding no
GatewayPorts no
X11Forwarding no
X11DisplayOffset 10
X11UseLocalhost yes
PrintMotd no
KeepAlive yes
SyslogFacility auth
LogLevel info


HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
ServerKeyBits 768
KeyRegenerationInterval 3600
StrictModes yes
LoginGraceTime 120
MaxAuthTries 6
MaxAuthTriesLog 3
PermitEmptyPasswords no
PasswordAuthentication yes
PermitRootLogin yes
LookupClientHostnames no
HostbasedUsesNameFromPacketOnly yes
MaxStartups 50:30:100




 


ZS3-2 running 2013.1.7.11 (OS8.7.11)




zs3-2-brm06-a# cat /etc/ssh/sshd_config
#
# Copyright (c) 2010, 2015, Oracle and/or its affiliates. All rights reserved.
#


Protocol 2
Port 22
ListenAddress ::
ListenAddress 0.0.0.0
AllowTcpForwarding no
GatewayPorts no
X11Forwarding no
X11DisplayOffset 10
X11UseLocalhost yes
PrintMotd no
KeepAlive yes
SyslogFacility auth
LogLevel info


HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
StrictModes yes
LoginGraceTime 120
MaxAuthTries 6
PermitEmptyPasswords no
PasswordAuthentication yes
PermitRootLogin yes
UseDNS no
HostbasedUsesNameFromPacketOnly yes
MaxStartups 50:30:100


#
# The remainder of this file is constructed by the aksshd script
# to add Ciphers and MACs directives.
#
Ciphers aes128-gcm@openssh.com,aes256-gcm@openssh.com,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc
MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha1-96




NOTE:  Ciphers are only included in the OS8.7 release (but NOT arcfour!)




 


Changes


None.


 


Cause


Arcfour ciphers are configured by default in pre-OS8.7.x releases.


 


Solution


Update from Engineering regarding 'SSH/Arcfour stream cipher':


The solution is to upgrade to a OS 8.7.x release.


AK 8.7.x introduced the ability to select SSH ciphers and refresh the list.


 


Recommended to upgrade to a OS 8.7.x Release (or later)  -  See MOS Doc ID 2021771.1.


 


 



Attachments

This solution has no attachment


















       

Copyright © 2018 Oracle, Inc.  All rights reserved.

 Feedback