Phone Lines icon GFI Support Home

Articles in this section

Resolving Exinda vulnerabilities

Author: Gazal Kaura Updated

Overview

You see one or more of the following vulnerabilities in the Vulnerability Assessment (VA) / scan of your Exinda as part of a network security audit. You would like to know the resolution of these vulnerabilities.

This article explains how to resolve different types of Exinda vulnerabilities.

  • OpenSSH X11 Forwarding Session Hijacking
  • OpenSSH < 5.2 CBC Plaintext Disclosure
  • OpenSSH < 4.3 scp Command Line Filename Processing Command Injection
  • OpenSSH < 4.5 Multiple Vulnerabilities
  • OpenSSH < 4.7 Trusted X11 Cookie Connection Policy Bypass
  • OpenSSH < 4.9 'ForceCommand' Directive Bypass
  • OpenSSL < AES-NI Padding Oracle MitM Information Disclosure
  • SSH Weak Algorithms Supported
  • SSL Certificate Expiry
  • SSL Medium Strength Cipher Suites Supported (SWEET32)
  • SSL Weak Cipher Suites Supported
  • SSL RC4 Cipher Suites Supported (Bar Mitzvah)
  • SSL Certificate Cannot Be Trusted
  • SSL Self-Signed Certificate
  • SSL Certificate Signed Using Weak Hashing Algorithm
  • SSL/TLS Protocol Initialization Vector Implementation Information Disclosure Vulnerability (BEAST)
  • TLS Version 1.0 Protocol Detection
  • TLS Version 1.1 Protocol Detection
  • mDNS Detection (Remote Network)
  • SNMP Agent Default Community Name (Public)
  • SNMP 'GETBULK' Reflection DDoS

Solution

In the table below, follow the solution steps corresponding to the vulnerabilities found:

Vulnerabilities related to: Solution

SSL Certificate

Install an authorized SSL Certificate/Private Key from your organization to replace the original self-generated certificate supplied with Exinda.

Note: this will not affect the traffic through the bridges, thus no downtime is required for this activity.
mDNS Detection

Disable the Avahi daemon, which corresponds to the Find my Exinda feature, which is only required for new devices not yet connected to the network but not used you have already assigned an IP address to the management port.

Note: a temporary restricted shell license is required for this step. Please contact the Support team to request one. 
SNMP Change the community name from 'public' to a custom one under the Configuration > System > Network > SNMP section in the Exinda Web UI. For more information, please refer to this article.
OpenSSH/SSH Upgrade your Exinda appliance to the latest firmware version 7.5.0, which fixes these vulnerabilities and several other bugs.
TLS Protocol Detection
OpenSSL
SSL (Not Certificate specific)
 

Testing

Run the vulnerability scanner after the upgrade to confirm the absence of vulnerabilities.

In case any issues persist, contact Exinda support for assistance.

Related articles