When scanning the Exinda appliance as part of a network security audit, you may run into one or more of the following vulnerabilities:
- OpenSSH X11 Forwarding Session Hijacking
- OpenSSH < 5.2 CBC Plaintext Disclosure
- OpenSSH < 4.3 scp Command Line Filename Processing Command Injection
- OpenSSH < 4.5 Multiple Vulnerabilities
- OpenSSH < 4.7 Trusted X11 Cookie Connection Policy Bypass
- OpenSSH < 4.9 'ForceCommand' Directive Bypass
- OpenSSL < AES-NI Padding Oracle MitM Information Disclosure
- SSH Weak Algorithms Supported
- SSL Certificate Expiry
- SSL Medium Strength Cipher Suites Supported (SWEET32)
- SSL Weak Cipher Suites Supported
- SSL RC4 Cipher Suites Supported (Bar Mitzvah)
- SSL Certificate Cannot Be Trusted
- SSL Self-Signed Certificate
- SSL Certificate Signed Using Weak Hashing Algorithm
- JQuery 1.2 < 3.5.0 Multiple XSS
- TLS Version 1.0 Protocol Detection
- TLS Version 1.1 Protocol Detection
- mDNS Detection (Remote Network)
- SNMP Agent Default Community Name (Public)
- SNMP 'GETBULK' Reflection DDoS
This article explains how to resolve different types of Exinda vulnerabilities.
In the table below, follow the solution steps corresponding to the vulnerabilities found:
|Vulnerabilities related to:||Solution|
Install an authorized SSL Certificate/Private Key from your organization to replace the original self-generated certificate supplied with Exinda.
Note: this will not affect the traffic through the bridges, thus no downtime is required for this activity.
Disable the Avahi daemon, which corresponds to the Find my Exinda feature, which is only required for new devices not yet connected to the network but not used you have already assigned an IP address to the management port.
Note: a temporary restricted shell license is required for this step. Please contact the Support team to request one.
|SNMP||Change the community name from 'public' to a custom one under the
|OpenSSH/SSH||Upgrade your Exinda appliance to the latest firmware version (7.5), which fixes these vulnerabilities and several other bugs.|
|TLS Protocol Detection|
Run the vulnerability scanner after the upgrade to confirm the absence of vulnerabilities.
In case any issues persist, contact Exinda support for assistance.