topic Re: Qualys Scan alert on OpenSSH J-Pake in General Topics

Qualys Scan alert on OpenSSH J-Pake

dru — Wed, 10 Apr 2013 19:29:36 GMT

We run Qualys scans on the internal network, and it's picking up that the PA's are running OpenSSH ver 5.2. I receive the following warning:

OpenSSH, when J-PAKE is enabled, does not properly validate the public parameters in the J-PAKE protocol. This allows remote attackers to bypass the need for knowledge of the shared secret, and successfully authenticate, by sending crafted values in each round of the protocol.

Affected Software:

OpenSSH versions 5.6 and prior.

The CVSS base is 7.5/10. It suggests to update to 5.7 or later. Obviously that's not an option from my point of view. This however could be deemed a false positive if J-Pake is not enabled. Can someone confirm if J-pake is running on this installation or if a newer version of OpenSSH is being looked into?

Thanks.

Re: Qualys Scan alert on OpenSSH J-Pake

ericgearhart — Wed, 10 Apr 2013 20:18:03 GMT

Just for kicks I compiled a local copy of OpenSSH 5.5 with the jpake source (from https://github.com/seb-m/jpake/tree/master/openssh-jpake ) and it doesn't appear to work:

eric@laptop:~/jpake/openssh-5.5p1> ./ssh -o "ZeroKnowledgePasswordAuthentication yes" user@my-PA-firewall

command-line line 0: Unsupported option "ZeroKnowledgePasswordAuthentication"

Password:

Re: Qualys Scan alert on OpenSSH J-Pake

BenLassila — Mon, 22 Jul 2013 09:31:12 GMT

Qualys gives me this against Panos 5.1.1:

SSH-2.0-OpenSSH_11.1 - "UseLogin" option threat, upgrade to OpenSSH 2.1.1 or later.

CVE-2000-0525, bugtraq 1334.

I wonder if "UseLogin" is enabled. Not sure it's relevant on a locked-down CLI, but it's coming up in Qualys.

Re: Qualys Scan alert on OpenSSH J-Pake

mikand — Tue, 23 Jul 2013 19:46:58 GMT

5.1.1 is Panorama and not PAN-OS as far as I know...

Re: Qualys Scan alert on OpenSSH J-Pake

BenLassila — Wed, 24 Jul 2013 07:44:38 GMT

Well, yes. We scanned the M-100. Easy to collectively refer to Panorama as PAN-OS, because the look'n'feel is so similar.

Re: Qualys Scan alert on OpenSSH J-Pake

ericgearhart — Wed, 24 Jul 2013 13:14:02 GMT

Well and PA themselves call it PANOS too... they released a "PANOS CLI guide" for Panorama 5.1 when it came out.... not a "Panorama CLI Guide." The support ticket interface has an entry for PANOS 5.1 and PANOS-5.1.1 in the little OS release" dropdown too. So it's completely correct to call the thing PANOS in my humble opinion.

Re: Qualys Scan alert on OpenSSH J-Pake

sspringer — Wed, 24 Jul 2013 16:22:05 GMT

Hello,

J-PAKE is not enabled in PanOS implementation of SSH.

-Stefan