- Community Home
- >
- Networking
- >
- Wireless
- >
- M and MSM Series
- >
- Re: MSM460 - Security Vulnerability
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-31-2013 05:09 AM
07-31-2013 05:09 AM
MSM460 - Security Vulnerability
Our Company has reciently installed E-MSM460 Accesspoints.
The Devices does have the latest version of Firmware installed.
On a Security Vulnerability Scan the following issue where picked up :
synopsis:
The remote SSH service is prone to an X11 session hijacking vulnerability.
description:
According to its banner, the version of SSH installed on the remote host is older than 5.0. Such versions may allow a local user to hijack X11 sessions because it improperly binds TCP ports on the local IPv6 interface if the corresponding ports on the IPv4 interface are in use.
solution:
Upgrade to OpenSSH version 5.0 or later.
Accourding the the Solution the OpenSSH needs to be updated.
Is it possible to do this, and if it is, how do I do it?
- Tags:
- ssh
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-08-2013 05:48 PM
09-08-2013 05:48 PM
Re: MSM460 - Security Vulnerability
You can't update the SSH server by itself. All you can do is install the latest HP firmware that you have access to (via warranty or contract).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-08-2013 08:28 PM
09-08-2013 08:28 PM
Re: MSM460 - Security Vulnerability
>it does not have X11 installed, so this theoretical vulnerability does not apply.
You think that the scanning program just detects that it is Linux and not that it has the X11 ports? open/listening?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-15-2013 07:47 AM
09-15-2013 07:47 AM
Re: MSM460 - Security Vulnerability
I believe the original poster's scanning program is going purely by the AP's SSH banner. If you telnet to port 22 on the AP, you will see something like:
SSH-2.0-OpenSSH_6.1
which indicates the device in question (an MSM460 running 6.0.1.0 firmware, the latest generally available public version) claims to implement the SSH 2.0 protocol using OpenSSH Portable 6.1. This is a fairly recent OpenSSH version (6.2 is current, 6.3 is in the process of being released and may already be on some mirrors).
There is a vulnerability with X11 forwarding and dual stack IPv4/IPv6 devices in OpenSSH versions before OpenSSH 5.0. I believe it is a purely theoretical vulnerability so far as the access points go, because they make no use of X11. However, as an HP outsider, I am not sure whether OpenSSH on the AP has been configured to disallow X11 forwarding, which would ensure there is no vulnerability.
I don't know which MSM460 firmware versions use which OpenSSH versions. The original poster may not have access to the latest firmware. Until the implementation of Lifetime Warranty 2.0 on 2013-08-01, the warranty software entitlement on purchasing an MSM4xx device was only for bugfix releases in the same firmware series as was generally available on the date of purchase. If you wish to move to a newer firmware series you must have an active software contract or Care Pack. The MSM460 was originally released with 5.5 firmware. Subsequently, there have been releases in the 5.7 and 6.0 firmware series.
My understanding is that devices bought after the implementation of Lifetime Warranty 2.0 have three years of software updates included in the purchase price - at least in North America and EMEA.