- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
04-10-2013 12:29 PM
We run Qualys scans on the internal network, and it's picking up that the PA's are running OpenSSH ver 5.2. I receive the following warning:
OpenSSH, when J-PAKE is enabled, does not properly validate the public parameters in the J-PAKE protocol. This allows remote attackers to bypass the need for knowledge of the shared secret, and successfully authenticate, by sending crafted values in each round of the protocol.
Affected Software:
OpenSSH versions 5.6 and prior.
The CVSS base is 7.5/10. It suggests to update to 5.7 or later. Obviously that's not an option from my point of view. This however could be deemed a false positive if J-Pake is not enabled. Can someone confirm if J-pake is running on this installation or if a newer version of OpenSSH is being looked into?
Thanks.
04-10-2013 01:18 PM
Just for kicks I compiled a local copy of OpenSSH 5.5 with the jpake source (from https://github.com/seb-m/jpake/tree/master/openssh-jpake ) and it doesn't appear to work:
eric@laptop:~/jpake/openssh-5.5p1> ./ssh -o "ZeroKnowledgePasswordAuthentication yes" user@my-PA-firewall
command-line line 0: Unsupported option "ZeroKnowledgePasswordAuthentication"
Password:
07-22-2013 02:31 AM
Qualys gives me this against Panos 5.1.1:
SSH-2.0-OpenSSH_11.1 - "UseLogin" option threat, upgrade to OpenSSH 2.1.1 or later.
CVE-2000-0525, bugtraq 1334.
I wonder if "UseLogin" is enabled. Not sure it's relevant on a locked-down CLI, but it's coming up in Qualys.
07-23-2013 12:46 PM
5.1.1 is Panorama and not PAN-OS as far as I know...
07-24-2013 12:44 AM
Well, yes. We scanned the M-100. Easy to collectively refer to Panorama as PAN-OS, because the look'n'feel is so similar.
07-24-2013 06:14 AM
Well and PA themselves call it PANOS too... they released a "PANOS CLI guide" for Panorama 5.1 when it came out.... not a "Panorama CLI Guide." The support ticket interface has an entry for PANOS 5.1 and PANOS-5.1.1 in the little OS release" dropdown too. So it's completely correct to call the thing PANOS in my humble opinion.
07-24-2013 09:22 AM
Hello,
J-PAKE is not enabled in PanOS implementation of SSH.
-Stefan
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!