Francis Guilbault 2 Posted December 14, 2023 Share Posted December 14, 2023 LOM interfaces being flagged with vulnerabilities. How can we modify cypher suite assigned to the interface. Link to comment Share on other sites More sharing options...
naka moto Posted December 18, 2023 Share Posted December 18, 2023 I do not believe there is any way to modify the default SSL cyber suite on LOM for Citrix SDX/MPX hardware (Supermicro hardware). At least not VIA the LOM GUI. no such option exists. You might google your Supermicro MOBO and get MOBO manual from Supermicro to double check. Link to comment Share on other sites More sharing options...
naka moto Posted December 18, 2023 Share Posted December 18, 2023 One other possibility is to check for any updated LOM BIOS from Supermicro. I doubt that Citrix branded LOM (IPMI) updated BIOS is available - I have read where SUpermicro has released newer IPMI BIOS that changes the cypher suite to newer/safer TLS standards. NOTE this , if you upgrade your Citrix NetScaler IPMI BIOS with a newer one from Supermicro, you will loose the "Citrix" branding in the default IPMI BIOS that you currently have. Check out the book "NETSCALER HACKS" on Apple Books or Amazon for more help. Link to comment Share on other sites More sharing options...
Fernando Avelino Posted December 18, 2023 Share Posted December 18, 2023 What's the platform and firmware version? Each Platform will have a different LOM version.https://docs.netscaler.com/en-us/citrix-hardware-platforms/mpx/netscaler-mpx-lights-out-management-port-lom.htmlIn the most recent firmware versions, the LOM should updates automatically when software upgrade is performed, you don't need to upgrade the LOM individually. Make sure you're running a most recent version.Make sure to follow the LOM security best practices:https://docs.netscaler.com/en-us/citrix-adc-secure-deployment.html#reset-the-netscaler-lights-out-management-lom Link to comment Share on other sites More sharing options...
Francis Guilbault 2 Posted December 19, 2023 Author Share Posted December 19, 2023 MPX running with the latest 13.1 firmware. Multiple vulnerabilities have been identified with this version:CVSS Severity – Medium SSH Server Supports Weak Key Exchange AlgorithmsThe server supports one or more weak key exchange algorithms. It is highly advisable to remove weak key exchange algorithm support from SSH configuration files on hosts to prevent them from being used to establish connections.CVSS Severity – LowSSH Server Supports diffie-hellman-group1-sha1The prime modulus offered when diffie-hellman-group1-sha1 is used only has a size of 1024 bits. This size is considered weak and within theoretical range of the so-called Logjam attack. CVSS Severity – LowTLS/SSL Server Supports The Use of Static Key CiphersThe server is configured to support ciphers known as static key ciphers. These ciphers don't support "Forward Secrecy". In the new specification for HTTP/2, these ciphers have been blacklisted.CVSS Severity – NoneUDP IP ID ZeroThe remote host responded with a UDP packet whose IP ID was zero. Normally the IP ID should be set to a unique value and is used in the reconstruction of fragmented packets. Generally this behavior is only seen with systems derived from a Linux kernel, which may allow an attacker to fingerprint the target's operating system. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now