Global Storage

Hello all,

You have a storwize V5000 controler and expansion.

SOS scan vulnerability report this :

SSH Server CBC Mode Ciphers Enabled

SSH Weak Key Exchange Algorithms Enabled

SSH Terrapin Prefix Truncation Weakness (CVE-2023-48795)

SSH Server CBC Mode Ciphers Enabled

SSH Weak Key Exchange Algorithms Enabled

SSH Server CBC Mode Ciphers Enabled

SSH Weak Key Exchange Algorithms Enabled

TLS Version 1.1 Protocol Deprecated

 

How can I mitigate all ?

Thanks for reply

------------------------------
Nicolas Bebin
Security Service Delivery France – Manager IT OPS Team
IBM Services Center France

------------------------------

Hello Nicolas,

You have not specified which firmware version you are currently running. There may still be updates available that address SSH vulnerabilities.

The release notes list the CVE identifiers that have been resolved. Release notes can be found at: https://www.ibm.com/support/fixcentral

------------------------------
TMasteen
------------------------------

Original Message:
Sent: Wed February 21, 2024 05:27 AM
From: Nicolas Bebin
Subject: IBM Storwize V5000 - SSH Vilnerability

Hello all,

You have a storwize V5000 controler and expansion.

SOS scan vulnerability report this :

SSH Server CBC Mode Ciphers Enabled

SSH Weak Key Exchange Algorithms Enabled

SSH Terrapin Prefix Truncation Weakness (CVE-2023-48795)

SSH Server CBC Mode Ciphers Enabled

SSH Weak Key Exchange Algorithms Enabled

SSH Server CBC Mode Ciphers Enabled

SSH Weak Key Exchange Algorithms Enabled

TLS Version 1.1 Protocol Deprecated

 

How can I mitigate all ?

Thanks for reply

------------------------------
Nicolas Bebin
Security Service Delivery France – Manager IT OPS Team
IBM Services Center France

------------------------------

Hi Nicolas - 

Step 1: be on the latest versions of code available as we will clean up security issues as we modernise.  (Also make sure you are on a supported code version/platform  is generally good hygiene)

Step 2: Be aware of our security feature set that allows you to set higher minimum security levels (disable insecure ciphers, and get to Newer versions of TLS, etc). https://www.redbooks.ibm.com/redpapers/pdfs/redp5678.pdf

If you are running on an ancient version of code or unsupported hardware then it is time to upgrade/migrate to address these issues, as the lifecycle of software updates on platforms, while long , is not indefinite.

------------------------------
Evelyn Perez
IBM Senior Technical Staff Member
IBM Storage Virtualize Software Architect for SVC and FlashSystem
------------------------------

Original Message:
Sent: Wed February 21, 2024 05:27 AM
From: Nicolas Bebin
Subject: IBM Storwize V5000 - SSH Vilnerability

Hello all,

You have a storwize V5000 controler and expansion.

SOS scan vulnerability report this :

SSH Server CBC Mode Ciphers Enabled

SSH Weak Key Exchange Algorithms Enabled

SSH Terrapin Prefix Truncation Weakness (CVE-2023-48795)

SSH Server CBC Mode Ciphers Enabled

SSH Weak Key Exchange Algorithms Enabled

SSH Server CBC Mode Ciphers Enabled

SSH Weak Key Exchange Algorithms Enabled

TLS Version 1.1 Protocol Deprecated

 

How can I mitigate all ?

Thanks for reply

------------------------------
Nicolas Bebin
Security Service Delivery France – Manager IT OPS Team
IBM Services Center France

------------------------------

Nicolas,  Evelyn's replies are always thorough and golden.  I would add that most reports, like the one you are looking at, list the applicable CVE(s).  You could always take those CVEs and look them up at https://www.ibm.com/support/pages/bulletin 

Being on the latest code, while recommended, is not the cure all.  You must also follow Evelyn's suggestion to configure and set your security features as recommended.

------------------------------
Robert Berendt IBMChampion
------------------------------

Original Message:
Sent: Thu February 22, 2024 07:06 AM
From: Evelyn Perez
Subject: IBM Storwize V5000 - SSH Vilnerability

Hi Nicolas - 

Step 1: be on the latest versions of code available as we will clean up security issues as we modernise.  (Also make sure you are on a supported code version/platform  is generally good hygiene)

Step 2: Be aware of our security feature set that allows you to set higher minimum security levels (disable insecure ciphers, and get to Newer versions of TLS, etc). https://www.redbooks.ibm.com/redpapers/pdfs/redp5678.pdf

If you are running on an ancient version of code or unsupported hardware then it is time to upgrade/migrate to address these issues, as the lifecycle of software updates on platforms, while long , is not indefinite.

------------------------------
Evelyn Perez
IBM Senior Technical Staff Member
IBM Storage Virtualize Software Architect for SVC and FlashSystem

Original Message:
Sent: Wed February 21, 2024 05:27 AM
From: Nicolas Bebin
Subject: IBM Storwize V5000 - SSH Vilnerability

Hello all,

You have a storwize V5000 controler and expansion.

SOS scan vulnerability report this :

SSH Server CBC Mode Ciphers Enabled

SSH Weak Key Exchange Algorithms Enabled

SSH Terrapin Prefix Truncation Weakness (CVE-2023-48795)

SSH Server CBC Mode Ciphers Enabled

SSH Weak Key Exchange Algorithms Enabled

SSH Server CBC Mode Ciphers Enabled

SSH Weak Key Exchange Algorithms Enabled

TLS Version 1.1 Protocol Deprecated

 

How can I mitigate all ?

Thanks for reply

------------------------------
Nicolas Bebin
Security Service Delivery France – Manager IT OPS Team
IBM Services Center France

------------------------------