HPE Community
Servers - General
1820291 Members
3248 Online
109622 Solutions
New Discussion

HP DL380 G9 - SSH SHA-1 HMAC Algorithms Enabled (Port 22) - Vulnerability on ILO (RAC)

 
Chari111
New Member

‎04-03-2023 09:59 AM - last edited on ‎04-05-2023 04:26 AM by

‎04-03-2023 09:59 AM - last edited on ‎04-05-2023 04:26 AM by

HP DL380 G9 - SSH SHA-1 HMAC Algorithms Enabled (Port 22) - Vulnerability on ILO (RAC)

Could you please let me know to resolve vulnerabiltiy on remote management console

Vulnerability Name:  HP DL380 G9- SSH SHA-1 HMAC Algorithms Enabled (Port 22) on ILO 4

 

 

0 Kudos
Reply
4 REPLIES 4
support_s
System Recommended

‎04-03-2023 11:00 AM

‎04-03-2023 11:00 AM

Query: HP DL380 G9 - SSH SHA-1 HMAC Algorithms Enabled (Port 22) - Vulnerability on ILO (RAC)

System recommended content:

1. HPE Integrated Lights Out 4 (iLO 4) - Troubleshooting Login and iLO Access Issues

2. HPE Integrated Lights-Out 4 (iLO 4) - How to Reset iLO Management Processor and iLO Password?

 

Please click on "Thumbs Up/Kudo" icon to give a "Kudo".

 

Thank you for being a HPE valuable community member.


Accept or Kudo

0 Kudos
Reply
Vinky_99
Esteemed Contributor

‎04-04-2023 11:23 PM

‎04-04-2023 11:23 PM

Re: HP DL380 G9 - SSH SHA-1 HMAC Algorithms Enabled (Port 22) - Vulnerability on ILO (R

@Chari111 

The vulnerability you mentioned is related to the use of insecure cryptographic algorithms (SHA-1 and HMAC) on the SSH service (port 22) of the Integrated Lights-Out (iLO) management interface on an HP DL380 G9 server.

In order to address this vulnerability, you should disable the use of SHA-1 and HMAC algorithms on the SSH service of iLO 4. You can do this by following the steps below:

  1. Log in to the iLO web interface using an administrative account.
  2. Click on the "Administration" tab and select "Security".
  3. Under "Security", select "SSH" and click on "Advanced Settings".
  4. In the "Advanced Settings" section, look for the "MAC algorithms" option and uncheck the "hmac-sha1" checkbox.
  5. Next, look for the "Key exchange algorithms" option and uncheck the "diffie-hellman-group1-sha1" checkbox.
  6. Click on "Apply" to save the changes.

After completing these steps, the iLO SSH service will no longer allow the use of insecure SHA-1 and HMAC algorithms, which will mitigate the vulnerability you described. It is also recommended to keep your server firmware and iLO firmware up-to-date to ensure the latest security patches are installed.

These are my opinions so use it at your own risk.
0 Kudos
Reply
sakura87c
Occasional Advisor

‎08-28-2024 07:34 AM - last edited on ‎09-16-2024 02:08 AM by

‎08-28-2024 07:34 AM - last edited on ‎09-16-2024 02:08 AM by

Re: HP DL380 G9 - SSH SHA-1 HMAC Algorithms Enabled (Port 22) - Vulnerability on ILO (R

How to apply same settings in iLO 5?

After checking all items in iLO5, there is no option for disabling SHA1 MAC algorithms

Thanx in advanced

0 Kudos
Reply
Sunitha_Mod
Moderator

‎08-30-2024 02:31 AM

‎08-30-2024 02:31 AM

Re: HP DL380 G9 - SSH SHA-1 HMAC Algorithms Enabled (Port 22) - Vulnerability on ILO (R

Hello @sakura87c,

Thank you for writing to us! 

You might want to consider creating a new topic by utilizing the "New Discussion" button, as this will not only enhance visibility compared to the old topic but also boost your chances of receiving responses from experts.



Thanks,
Sunitha G
I'm an HPE employee.
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.