cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
chrisjoles
New Contributor

Security Issues with Netvanta 1544P

We just had a configuration audit and all of our 1544P switches kicked out issues with

SSL Ciphers Weak

SSL Certificate Weak Hashing Algorithm

SSL/TLS Renegotiation Vuln

SSH Server CBC Mode Ciphers Enabled

After further review on this, I have found that SSH V2 is enabled.  How can I disable SSH v1?

Will upgrading the firmware to the latest release remove the SSL issues noted?

Thanks!

Chris

Labels (1)
0 Kudos
3 Replies
Anonymous
Not applicable

Re: Security Issues with Netvanta 1544P

chrisjoles:

Thank you for asking this question in the support community.

Unfortunately, every security audit software is different, so it is difficult to create a standard to meet all of the criteria.  The Security Audit in AOS Quick Configuration Guide has valuable information about ADTRAN's ability to meet the requirements.  To answer your questions, at the time of this post, AOS units support SSHv2 only.  Therefore, there is no need to disable SSHv1, as it is not supported.  There have been some SSL features and enhancements in AOS, but I cannot determine if upgrading will alleviate the issues noted by the auditing software.  ADTRAN always recommends running the current maintenance release, as indicated on the product firmware download page.

Please, let me know if you have any additional questions.  I will be happy to help in any way I can.

Levi

Anonymous
Not applicable

Re: Security Issues with Netvanta 1544P

Christopher,

I am marking this assumed answered. However, if you have more to add please do not hesitate to do so.

Thanks,

Evan

Anonymous
Not applicable

Re: Security Issues with Netvanta 1544P

It is a serious vulnerability to not support a current, secure, key exchange algorithm and cipher suite.  This is what was required to connect to my Adtran 1544P with firmware R12.3.3.

$ ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -oCiphers=+3des-cbc admin@xxx.xxx.xxx.xxx

Why do you think it is that openssh doesn't support these by default ?  Also tell me why I should not submit this to DHS?

I'm not talking about SSH1.