Is it possible to modify cypher suite assigned to the LOM interface?

[Francis Guilbault 2]

LOM interfaces being flagged with vulnerabilities. How can we modify cypher suite assigned to the interface.

[naka moto]

I do not believe there is any way to modify the default SSL cyber suite on LOM for Citrix SDX/MPX hardware (Supermicro hardware). At least not VIA the LOM GUI. no such option exists. You might google your Supermicro MOBO and get MOBO manual from Supermicro to double check.

[naka moto]

One other possibility is to check for any updated LOM BIOS from Supermicro. I doubt that Citrix branded LOM (IPMI) updated BIOS is available - I have read where SUpermicro has released newer IPMI BIOS that changes the cypher suite to newer/safer TLS standards. NOTE this , if you upgrade your Citrix NetScaler IPMI BIOS with a newer one from Supermicro, you will loose the "Citrix" branding in the default IPMI BIOS that you currently have. Check out the book "NETSCALER HACKS" on Apple Books or Amazon for more help.

[Fernando Avelino]

What's the platform and firmware version? Each Platform will have a different LOM version.

https://docs.netscaler.com/en-us/citrix-hardware-platforms/mpx/netscaler-mpx-lights-out-management-port-lom.html

In the most recent firmware versions, the LOM should updates automatically when software upgrade is performed, you don't need to upgrade the LOM individually. Make sure you're running a most recent version.

Make sure to follow the LOM security best practices:

https://docs.netscaler.com/en-us/citrix-adc-secure-deployment.html#reset-the-netscaler-lights-out-management-lom

[Francis Guilbault 2]

MPX running with the latest 13.1 firmware. Multiple vulnerabilities have been identified with this version:

CVSS Severity – Medium

SSH Server Supports Weak Key Exchange Algorithms

The server supports one or more weak key exchange algorithms. It is highly advisable to remove weak key exchange algorithm support from SSH configuration files on hosts to prevent them from being used to establish connections.

CVSS Severity – Low

SSH Server Supports diffie-hellman-group1-sha1

The prime modulus offered when diffie-hellman-group1-sha1 is used only has a size of 1024 bits. This size is considered weak and within theoretical range of the so-called Logjam attack.

 

CVSS Severity – Low

TLS/SSL Server Supports The Use of Static Key Ciphers

The server is configured to support ciphers known as static key ciphers. These ciphers don't support "Forward Secrecy". In the new specification for HTTP/2, these ciphers have been blacklisted.

CVSS Severity – None

UDP IP ID Zero

The remote host responded with a UDP packet whose IP ID was zero. Normally the IP ID should be set to a unique value and is used in the reconstruction of fragmented packets. Generally this behavior is only seen with systems derived from a Linux kernel, which may allow an attacker to fingerprint the target's operating system.