HPE Community
HPE OneView
1819802 Members
3316 Online
109607 Solutions
New Discussion

Terrapin vulnerability on c7000 virtual connects managed by HPE OneView

 
jdkarpin
Occasional Advisor

‎02-07-2024 03:11 AM - last edited on ‎02-07-2024 08:07 PM by

‎02-07-2024 03:11 AM - last edited on ‎02-07-2024 08:07 PM by

Terrapin vulnerability on c7000 virtual connects managed by HPE OneView

Hi, 
We've managed to disable CBC-EtM support on Virtual Connects that are not managed by HPE OneView using:

 

set ssh -quiet CBC-cipher=Disabled

 

Virtual Connects managed by HPE OneView are not accessible though ssh and therefore we cannot disable this cipher. 

How to either access VC over SSH or disable it from HPE OneView?

Reply
11 REPLIES 11
ChrisLynch
HPE Pro

‎02-07-2024 08:50 AM

‎02-07-2024 08:50 AM

Re: Terrapin vulnerability on c7000 virtual connects managed by HPE OneView

Virtual Connect Manager is not a running service when the enclosure is managed by OneView.  There is no ability to disable specific ciphers on the Ethernet modules private API interfaces.

I work at HPE
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
0 Kudos
Reply
jdkarpin
Occasional Advisor

‎02-07-2024 11:45 AM - last edited on ‎02-07-2024 08:06 PM by

‎02-07-2024 11:45 AM - last edited on ‎02-07-2024 08:06 PM by

Re: Terrapin vulnerability on c7000 virtual connects managed by HPE OneView

@ChrisLynch 

Hi Chris,
Issue is that SSH is enabled on VC even when VCM is disabled.
SSH gets flagged as vulnerable to Terrapin in our environment.
Any idea what can be done about it?

0 Kudos
Reply
ChrisLynch
HPE Pro

‎02-07-2024 08:09 PM - edited ‎02-07-2024 08:10 PM

‎02-07-2024 08:09 PM - edited ‎02-07-2024 08:10 PM

Re: Terrapin vulnerability on c7000 virtual connects managed by HPE OneView

SSH is only present to transfer firmware images during the module firmware update process.  Otherwise, it is not customer accessible.  Nothing further can be done here.

I work at HPE
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
0 Kudos
Reply
jdkarpin
Occasional Advisor

‎02-08-2024 02:26 AM - last edited on ‎02-08-2024 06:01 AM by

‎02-08-2024 02:26 AM - last edited on ‎02-08-2024 06:01 AM by

Re: Terrapin vulnerability on c7000 virtual connects managed by HPE OneView

 

Hi @ChrisLynch ,

SSH is only present to transfer firmware images during the module firmware update process.

Looks like it's not true. SSH is enabled 100% of the time. 

Vulnerable VCVulnerable VC

Terrapin2.png

 

[Moderator edit: Erased the confidential info.]

0 Kudos
Reply
ChrisLynch
HPE Pro

‎02-08-2024 07:10 AM - edited ‎02-08-2024 07:10 AM

‎02-08-2024 07:10 AM - edited ‎02-08-2024 07:10 AM

Re: Terrapin vulnerability on c7000 virtual connects managed by HPE OneView

I didn't say that SSH would be started "on-demand" or the daemon would only start for firmware updates.  SSH is only used for SCP to transfer firmware updates to the VC modules.  However, no customer can access that interface.

I work at HPE
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
0 Kudos
Reply
jdkarpin
Occasional Advisor

‎07-10-2024 08:02 AM - edited ‎07-10-2024 08:03 AM

‎07-10-2024 08:02 AM - edited ‎07-10-2024 08:03 AM

Re: Terrapin vulnerability on c7000 virtual connects managed by HPE OneView

Hi Chris,

On our environment SSH is contantly running on virtual connects. 

How do we get access to virtual connect when it's managed by HPE OneView?

How to get password for vcmadm_?

0 Kudos
Reply
ChrisLynch
HPE Pro

‎07-10-2024 08:32 AM

‎07-10-2024 08:32 AM

Re: Terrapin vulnerability on c7000 virtual connects managed by HPE OneView

As I stated previously, there is no way to disable SSH on Virtual Connect modules even managed by OneView.  SSH here is strictly used to transfer firmware updates for the VC modules only.  We do not expose a general purpose SSH interface anyhow.

I work at HPE
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
0 Kudos
Reply
jdkarpin
Occasional Advisor

‎07-10-2024 08:41 AM

‎07-10-2024 08:41 AM

Re: Terrapin vulnerability on c7000 virtual connects managed by HPE OneView

Our security team seams to not understand this argument. 

I do not want to disable SSH on Virtual Connect - I want to get in and disable cipher that is vulnerable. 

 

0 Kudos
Reply
DanCernese
HPE Pro

‎07-10-2024 08:49 AM

‎07-10-2024 08:49 AM

Re: Terrapin vulnerability on c7000 virtual connects managed by HPE OneView

Does the security team understand his previous response:

"Virtual Connect Manager is not a running service when the enclosure is managed by OneView.  There is no ability to disable specific ciphers on the Ethernet modules private API interfaces."

 



I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
0 Kudos
Reply
jdkarpin
Occasional Advisor

‎07-10-2024 10:14 AM

‎07-10-2024 10:14 AM

Re: Terrapin vulnerability on c7000 virtual connects managed by HPE OneView

On our virtual connects ssh is enabled at all times, and we've noticed that hpe one view 6.60 establishes a constant connection (according to packet capture), even when we're not working with interconnects.

Given this situation, I kindly request that you reach out to our software engineers. Could you ask them to explore potential workarounds? It seems that HPE OneView is somehow authenticating with Virtual Connect, and if we could obtain the password, it might help resolve our problem.
0 Kudos
Reply
DanCernese
HPE Pro

‎07-10-2024 10:23 AM

‎07-10-2024 10:23 AM

Re: Terrapin vulnerability on c7000 virtual connects managed by HPE OneView

You're not getting the message.  There is no password.  There is no command line.  There is no feature in the private API that OneView is using to disable specific cyphers.  



I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.