there is some vulnerability on switch, just for reference

Latest reply: Oct 12, 2018 14:14:41 2280 7 12 0

Name

Synopsis

Description

SSL Certificate Cannot Be Trusted

The SSL certificate for this service cannot be trusted.

The server's X.509 certificate cannot be trusted. This situation can
occur in three different ways, in which the chain of trust can be
broken, as stated below :

  - First, the top of the certificate chain sent by the
    server might not be descended from a known public
    certificate authority. This can occur either when the
    top of the chain is an unrecognized, self-signed
    certificate, or when intermediate certificates are
    missing that would connect the top of the certificate
    chain to a known public certificate authority.

  - Second, the certificate chain may contain a certificate
    that is not valid at the time of the scan. This can
    occur either when the scan occurs before one of the
    certificate's 'notBefore' dates, or after one of the
    certificate's 'notAfter' dates.

  - Third, the certificate chain may contain a signature
    that either didn't match the certificate's information
    or could not be verified. Bad signatures can be fixed by
    getting the certificate with the bad signature to be
    re-signed by its issuer. Signatures that could not be
    verified are the result of the certificate's issuer
    using a signing algorithm that Nessus either does not
    support or does not recognize.

If the remote host is a public host in production, any break in the
chain makes it more difficult for users to verify the authenticity and
identity of the web server. This could make it easier to carry out
man-in-the-middle attacks against the remote host.

SSH Server CBC Mode Ciphers Enabled

The SSH server is configured to use Cipher Block Chaining.

The SSH server is configured to support Cipher Block Chaining (CBC)
encryption.  This may allow an attacker to recover the plaintext message
from the ciphertext.

Note that this plugin only checks for the options of the SSH server and
does not check for vulnerable software versions.

SSH Weak MAC Algorithms Enabled

The remote SSH server is configured to allow MD5 and 96-bit MAC
algorithms.

The remote SSH server is configured to allow either MD5 or 96-bit MAC
algorithms, both of which are considered weak.

Note that this plugin only checks for the options of the SSH server,
and it does not check for vulnerable software versions.



S5700 V200R008C00SPC500

          SSL Certificate Cannot Be Trusted

——Need to buy a third-party certificate, or close the https service as below

[HUAWEI]undo http server enable;

[HUAWEI]undo http secure-server enable

 

SSH Server CBC Mode Ciphers Enabled

——The CBC algorithm is the basic algorithm for SSH docking. Disabling can affect the connection with the SSH client. If you need to circumvent this vulnerability, you can upgrade to the V2R10 version and use the ssh server cipher command line to customize the algorithm. However, there is a risk that the custom algorithm will not be able to connect to the device.

 

SSH Weak MAC Algorithms Enabled

——Can be upgraded to V2R10, use the following command to choose a secure algorithm

[HUAWEI]ssh server hmac 



  • x
  • convention:

SupperRobin Created Sep 21, 2018 16:01:17 Helpful(0) Helpful(0)

:):):) thanks for your sharing !
  • x
  • convention:

Barret Created Sep 21, 2018 22:30:25 Helpful(0) Helpful(0)

please re-edit :(
  • x
  • convention:

Skay Created Sep 29, 2018 16:50:19 Helpful(0) Helpful(0)

An SSH server and a client need to negotiate an encryption algorithm for the packets exchanged between them. You can run the ssh server cipher command to configure an encryption algorithm list for the SSH server. After the SSH server receives a packet from the client, the server matches the encryption algorithm list of the client against its local list and selects the first matched encryption algorithm. If no matched encryption algorithms, the negotiation fails.
  • x
  • convention:

HC_David Created Sep 30, 2018 22:02:12 Helpful(0) Helpful(0)

thanks for your sharing !
  • x
  • convention:

faysalji Created Oct 1, 2018 19:40:36 Helpful(0) Helpful(0)

:)
  • x
  • convention:

If you think my post/reply is useful, please click the Helpful button and flag my post as a BEST ANSWER. Thanks
SupperRobin Created Oct 12, 2018 11:11:48 Helpful(0) Helpful(0)

Thanks for you share about this which is very useful for my daily work.
And now i can easy to check the ssh issue:):):) if i face any issue about this.before this i aways do not know how to deal with them,and wasted a lot of time to serch this.Thanks agin for you selfless Sharing, Hope you can aways work like this.:):):)
  • x
  • convention:

SupperRobin Created Oct 12, 2018 14:14:41 Helpful(0) Helpful(0)

The server and client negotiate the algorithm for checking packets transmitted between them. You can run the ssh server hmac command to configure the check algorithm list of the SSH server. The server compares the check algorithm list sent from the client with its own check algorithm list, and selects the first matched check algorithm for checking transmitted packets. If the check algorithm lists of the server and client have no common check algorithm, the check algorithm negotiation fails.
For example, run the ssh server hmac sha2_256 command to add the high-security sha2_256 check algorithm to the HMAC check algorithm list of the SSH server, improving device security. This post was last edited by SupperRobin at 2018-10-31 15:05.
  • x
  • convention:

Reply

Reply
You need to log in to reply to the post Login | Register

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!

Login and enjoy all the member benefits

Login
Fast reply Scroll to top