EF & E-Series, SANtricity, and Related Plug-ins

Vulnerability:SSH Weak Key Exchange Algorithms Enabled

Terry-xiao
384 Views

Hi team,

 

one of my customer use storage-DE2000H, and the customer found below vulnerabilities in the Lenevo DE2000H.

Vulnerability:SSH Weak Key Exchange Algorithms Enabled

"the customer mentioned that storage devices are being performed an authenticated scan by Nessus vulnerability tool and reporting this vulnerability. Please let us know what would be the workaround to fix this one"

 

[system infor]

DE2000H is an OEM of NetApp E-series product.

 

ThinkSystem Storage Manager
EMW Version: 11.62.00.9009
Report Date: Thu Jun 30 07:09:20 UTC 2022

 

I have checked Netapp documents, I 'm not able to find the information about this vulnerabilities. I really appreciated if you could you please provide information for this questions?

 


the below KB mentioned that "SSH is not a supported management protocol for E-Series devices.".
if the SSH is disabled by default,the product will not affected by this Vulnerability, is it
correct?
Vulnerability:SSH Weak Key Exchange Algorithms Enabled

========================
Is SSH a supported management protocol for E-Series devices?
https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Systems/E-Series_Storage_Array/Is_SSH_a_supported_management_protocol_for_E-Series_devic...
SSH is not a supported management protocol for E-Series devices. To manage the storage array, there is SANtricity for GUI based management or SMcli for the command line.

For support procedures, occasional Telnet or SSH access is required. However, it is not possible to use Telnet/SSH for day-to-day operations.
========================

[I have checked below KB ]
================
Is SSH a supported management protocol for E-Series devices?
https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Systems/E-Series_Storage_Array/Is_SSH_a_supported_management_protocol_for_E-Series_devic...
================
==========================
How to enable or disable remote login on E-Series Storage Systems
https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Systems/E-Series_Storage_Array/How_to_enable_or_disable_remote_login_on_E-Series_Storage...
==========================
Thanks and regards
wenhai

1 ACCEPTED SOLUTION

NetApp_RZ
313 Views

Lenovo provides a download site here that has the latest 11.70.3 fimware for the product that will also take care of a lot of other vulnerabilities they didn't find with that 11.62.xx code.

https://datacentersupport.lenovo.com/us/en/products/storage/lenovo-storage/thinksystem-de2000h/downloads/driver-list/

Either way, I'd suggest upgrading firmware.

View solution in original post

3 REPLIES 3

kryan
340 Views
I believe that this customer needs to contact Lenovo for support on that system.

NetApp_AU
324 Views

I am going to speak strictly about a NetApp non-OEM E-Series system. To confirm that the information below is still accurate for your Lenovo OEM system, please contact Lenovo Support.

For NetApp-branded E-Series systems, SSH is not needed for normal management operations, is only used by NetApp Support for troubleshooting purposes and is disabled by default for security. 

The second KB you linked is the correct procedure for enabling and disabling SSH on a NetApp-branded E-Series system, but the process might be different on a Lenovo OEM system.

If your security scanner is reporting a vulnerability with your storage system's SSH, it is usually fine to disable SSH, but I strongly recommend that you contact Lenovo Support first to confirm that disabling SSH is truly the best option for you and your system.

Team NetApp

NetApp_RZ
314 Views

Lenovo provides a download site here that has the latest 11.70.3 fimware for the product that will also take care of a lot of other vulnerabilities they didn't find with that 11.62.xx code.

https://datacentersupport.lenovo.com/us/en/products/storage/lenovo-storage/thinksystem-de2000h/downloads/driver-list/

Either way, I'd suggest upgrading firmware.

Public