SSH cipher update - openssh bug CVE-2023-48795 #3168
Milestone
Comments
|
Similar story here with a Cisco IOS XE 17.12.3 device... All working well for 17.9.5, but upon upgrade to 17.12.3 the Oxidized collector can no longer connect - with an hmac negotiation error... SSH from the OS on the same host is working without error. ssh_from_os.txt Edit to add oxidized debug - strange to note that debug indicated net-ssh 5.2.0 being used... when it is no longer on this host at all (replaced by 7.2.3) Ruby Gems: As I say, continues to collect from 17.9.5 & below. |
|
How add and force Oxidized using the newest ciphers? |
|
closed by mistake |
|
reopen |
|
hmmm, seems I am not able to reopen it again |
jacobw
added a commit
to jacobw/oxidized
that referenced
this issue
Oct 23, 2024
Enable support for aes(128|256)gcm. Fixes ytti#3168.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi,
how can I update ciphers for Oxidized to allow the following / add always the newest possible:
set system services ssh ciphers "aes128-gcm@openssh.com"
set system services ssh ciphers "aes256-gcm@openssh.com"
We have disabled all other ciphers on our Juniper boxes because of bug:
https://supportportal.juniper.net/s/article/2024-05-Reference-Advisory-Junos-OS-and-Junos-OS-Evolved-Multiple-CVEs-reported-in-OpenSSH?language=en_US
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-48795
Unfortunately Oxidized (0.29.1) is currently not able to backup those devices which only allow ciphers aes128-gcm and aes256-gcm.
SSH from this Linux Host (where Oxidized is running) to the devices is working fine, therefore it seems Oxidized is not using the OS implementations?
thx & br
Chris
The text was updated successfully, but these errors were encountered: