Qualys Scan alert on OpenSSH J-Pake

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Qualys Scan alert on OpenSSH J-Pake

L0 Member

We run Qualys scans on the internal network, and it's picking up that the PA's are running OpenSSH ver 5.2. I receive the following warning:

OpenSSH, when J-PAKE is enabled, does not properly validate the public parameters in the J-PAKE protocol. This allows remote attackers to bypass the need for knowledge of the shared secret, and successfully authenticate, by sending crafted values in each round of the protocol.

Affected Software:

OpenSSH versions 5.6 and prior.

The CVSS base is 7.5/10. It suggests to update to 5.7 or later. Obviously that's not an option from my point of view. This however could be deemed a false positive if J-Pake is not enabled. Can someone confirm if J-pake is running on this installation or if a newer version of OpenSSH is being looked into?

Thanks.

6 REPLIES 6

L4 Transporter

Just for kicks I compiled a local copy of OpenSSH 5.5 with the jpake source (from https://github.com/seb-m/jpake/tree/master/openssh-jpake ) and it doesn't appear to work:

eric@laptop:~/jpake/openssh-5.5p1> ./ssh -o "ZeroKnowledgePasswordAuthentication yes" user@my-PA-firewall

command-line line 0: Unsupported option "ZeroKnowledgePasswordAuthentication"

Password:

Qualys gives me this against Panos 5.1.1:

SSH-2.0-OpenSSH_11.1 - "UseLogin" option threat, upgrade to OpenSSH 2.1.1 or later.

CVE-2000-0525, bugtraq 1334.

I wonder if "UseLogin" is enabled. Not sure it's relevant on a locked-down CLI, but it's coming up in Qualys.

5.1.1 is Panorama and not PAN-OS as far as I know...

Well, yes. We scanned the M-100. Easy to collectively refer to Panorama as PAN-OS, because the look'n'feel is so similar.

Well and PA themselves call it PANOS too... they released a "PANOS CLI guide" for Panorama 5.1 when it came out.... not a "Panorama CLI Guide." The support ticket interface has an entry for PANOS 5.1 and PANOS-5.1.1 in the little OS release" dropdown too. So it's completely correct to call the thing PANOS in my humble opinion.

L4 Transporter

Hello,

J-PAKE is not enabled in PanOS implementation of SSH.

-Stefan

  • 4141 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!