HPE Community
Servers - General
1771382 Members
2710 Online
109005 Solutions
New Discussion

HP DL380 G9 - SSH SHA-1 HMAC Algorithms Enabled (Port 22) - Vulnerability on ILO (RAC)

 
Chari111
New Member

‎04-03-2023 09:59 AM - last edited on ‎04-05-2023 04:26 AM by

‎04-03-2023 09:59 AM - last edited on ‎04-05-2023 04:26 AM by

HP DL380 G9 - SSH SHA-1 HMAC Algorithms Enabled (Port 22) - Vulnerability on ILO (RAC)

Could you please let me know to resolve vulnerabiltiy on remote management console

Vulnerability Name:  HP DL380 G9- SSH SHA-1 HMAC Algorithms Enabled (Port 22) on ILO 4

 

 

0 Kudos
Reply
2 REPLIES 2
support_s
System Recommended

‎04-03-2023 11:00 AM

‎04-03-2023 11:00 AM

Query: HP DL380 G9 - SSH SHA-1 HMAC Algorithms Enabled (Port 22) - Vulnerability on ILO (RAC)

System recommended content:

1. HPE Integrated Lights Out 4 (iLO 4) - Troubleshooting Login and iLO Access Issues

2. HPE Integrated Lights-Out 4 (iLO 4) - How to Reset iLO Management Processor and iLO Password?

 

Please click on "Thumbs Up/Kudo" icon to give a "Kudo".

 

Thank you for being a HPE valuable community member.


Accept or Kudo

0 Kudos
Reply
Vinky_99
Esteemed Contributor

‎04-04-2023 11:23 PM

‎04-04-2023 11:23 PM

Re: HP DL380 G9 - SSH SHA-1 HMAC Algorithms Enabled (Port 22) - Vulnerability on ILO (R

@Chari111 

The vulnerability you mentioned is related to the use of insecure cryptographic algorithms (SHA-1 and HMAC) on the SSH service (port 22) of the Integrated Lights-Out (iLO) management interface on an HP DL380 G9 server.

In order to address this vulnerability, you should disable the use of SHA-1 and HMAC algorithms on the SSH service of iLO 4. You can do this by following the steps below:

  1. Log in to the iLO web interface using an administrative account.
  2. Click on the "Administration" tab and select "Security".
  3. Under "Security", select "SSH" and click on "Advanced Settings".
  4. In the "Advanced Settings" section, look for the "MAC algorithms" option and uncheck the "hmac-sha1" checkbox.
  5. Next, look for the "Key exchange algorithms" option and uncheck the "diffie-hellman-group1-sha1" checkbox.
  6. Click on "Apply" to save the changes.

After completing these steps, the iLO SSH service will no longer allow the use of insecure SHA-1 and HMAC algorithms, which will mitigate the vulnerability you described. It is also recommended to keep your server firmware and iLO firmware up-to-date to ensure the latest security patches are installed.

These are my opinions so use it at your own risk.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.