Qualys Scan alert on OpenSSH J-Pake

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L0 Member

Qualys Scan alert on OpenSSH J-Pake

We run Qualys scans on the internal network, and it's picking up that the PA's are running OpenSSH ver 5.2. I receive the following warning:

OpenSSH, when J-PAKE is enabled, does not properly validate the public parameters in the J-PAKE protocol. This allows remote attackers to bypass the need for knowledge of the shared secret, and successfully authenticate, by sending crafted values in each round of the protocol.

Affected Software:

OpenSSH versions 5.6 and prior.

The CVSS base is 7.5/10. It suggests to update to 5.7 or later. Obviously that's not an option from my point of view. This however could be deemed a false positive if J-Pake is not enabled. Can someone confirm if J-pake is running on this installation or if a newer version of OpenSSH is being looked into?

Thanks.

Tags (2)
Highlighted
L4 Transporter

Just for kicks I compiled a local copy of OpenSSH 5.5 with the jpake source (from https://github.com/seb-m/jpake/tree/master/openssh-jpake ) and it doesn't appear to work:

eric@laptop:~/jpake/openssh-5.5p1> ./ssh -o "ZeroKnowledgePasswordAuthentication yes" user@my-PA-firewall

command-line line 0: Unsupported option "ZeroKnowledgePasswordAuthentication"

Password:

Highlighted
L3 Networker

Qualys gives me this against Panos 5.1.1:

SSH-2.0-OpenSSH_11.1 - "UseLogin" option threat, upgrade to OpenSSH 2.1.1 or later.

CVE-2000-0525, bugtraq 1334.

I wonder if "UseLogin" is enabled. Not sure it's relevant on a locked-down CLI, but it's coming up in Qualys.

Highlighted
L6 Presenter

5.1.1 is Panorama and not PAN-OS as far as I know...

Highlighted
L3 Networker

Well, yes. We scanned the M-100. Easy to collectively refer to Panorama as PAN-OS, because the look'n'feel is so similar.

Highlighted
L4 Transporter

Well and PA themselves call it PANOS too... they released a "PANOS CLI guide" for Panorama 5.1 when it came out.... not a "Panorama CLI Guide." The support ticket interface has an entry for PANOS 5.1 and PANOS-5.1.1 in the little OS release" dropdown too. So it's completely correct to call the thing PANOS in my humble opinion.

Highlighted
L4 Transporter

Hello,

J-PAKE is not enabled in PanOS implementation of SSH.

-Stefan

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!