Quantum Forum V

Quantum Forum for DXi V5000

Security Issues with DXiV1000 2.3.22 (12646-56386 Build3) - How do we resolve?

We've recently gone through a security audit and this device was highlighted as having a number of potential security issues.  Is there some way to resolve these issues via configuration or is there a newer build of the firmware that resolves the issues? 

Here's the list of items that were detected:

  1. NFS - Exports are viewable - UDP 2049
  2. Remote Procedure Call Service Present - statd.kstat.status - UDP 628
  3. CVE-2006-4924 - OpenBSD - OpenSSH - Denial of Service Issue - TCP 22
  4. CVE-2006-5051 - Portable OpenSSH - GSSAPI - Code Execution Issue - TCP 22
  5. Portmapper - Potential Problem Typically Unused Service - UDP 111
  6. CVE-2007-4752 - OpenBSD - OpenSSH - Security Bypass Issue - TCP 22
  7. CVE-2010-4478 - OpenBSD - OpenSSH - Security Bypass Issue - TCP 22
  8. CVE-2014-1692 - OpenSSH - Memory Corruption Issue - TCP 22

There are also another 8 Medium security issues detected also all around TCP 22 (SSH).

Views: 40

Reply to This

Replies to This Discussion

Hello Matthew,

2.3.2.2 is the most current version for the DXi V1000. As vulnerabilities are detected, patches are applied in future firmware updates. I do not have an ETA but 2.3.3 is in the test phase for the physical DXIs so it should also be available for the virtual DXIs at some point.

Update:

2.3.3 is in controlled release and slated to release soon. Also here is feedback on the critical CVEs in the post above.

 

CVE

Version Fixed

Notes

CVE-2006-4924 - OpenBSD - OpenSSH - Denial of Service Issue - TCP 22

DXi 2.3.3

openssh-server-4.3p2-36.el5_4.4

CVE-2006-5051 - Portable OpenSSH - GSSAPI - Code Execution Issue - TCP 22

DXi 2.3.3

openssh-server-4.3p2-36.el5_4.4

CVE-2007-4752 - OpenBSD - OpenSSH - Security Bypass Issue - TCP 22

DXi 2.3.3

openssh-server-4.3p2-36.el5_4.4

CVE-2010-4478 - OpenBSD - OpenSSH - Security Bypass Issue - TCP 22

N/A

Not vulnerable.

It's not enabled in Red Hat  Enterprise Linux and Fedora openssh packages.

CVE-2014-1692 - OpenSSH - Memory Corruption Issue - TCP 22

N/A

Not vulnerable.

The code for J-PAKE support is not compiled into the Red Hat shipped binaries.

 

RSS

Tips + Tricks

© 2024   Created by Quantum Forum V.   Powered by

Badges  |  Report an Issue  |  Terms of Service