We run Qualys scans on the internal network, and it's picking up that the PA's are running OpenSSH ver 5.2. I receive the following warning:
OpenSSH, when J-PAKE is enabled, does not properly validate the public parameters in the J-PAKE protocol. This allows remote attackers to bypass the need for knowledge of the shared secret, and successfully authenticate, by sending crafted values in each round of the protocol.
OpenSSH versions 5.6 and prior.
The CVSS base is 7.5/10. It suggests to update to 5.7 or later. Obviously that's not an option from my point of view. This however could be deemed a false positive if J-Pake is not enabled. Can someone confirm if J-pake is running on this installation or if a newer version of OpenSSH is being looked into?
Just for kicks I compiled a local copy of OpenSSH 5.5 with the jpake source (from https://github.com/seb-m/jpake/tree/master/openssh-jpake ) and it doesn't appear to work:
eric@laptop:~/jpake/openssh-5.5p1> ./ssh -o "ZeroKnowledgePasswordAuthentication yes" user@my-PA-firewall
command-line line 0: Unsupported option "ZeroKnowledgePasswordAuthentication"
Qualys gives me this against Panos 5.1.1:
SSH-2.0-OpenSSH_11.1 - "UseLogin" option threat, upgrade to OpenSSH 2.1.1 or later.
CVE-2000-0525, bugtraq 1334.
I wonder if "UseLogin" is enabled. Not sure it's relevant on a locked-down CLI, but it's coming up in Qualys.
Well and PA themselves call it PANOS too... they released a "PANOS CLI guide" for Panorama 5.1 when it came out.... not a "Panorama CLI Guide." The support ticket interface has an entry for PANOS 5.1 and PANOS-5.1.1 in the little OS release" dropdown too. So it's completely correct to call the thing PANOS in my humble opinion.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!