[j-nsp] MX204 update from 21.4R3-S4 to 21.4R3-S5
Richard McGovern
rmcgovern at juniper.net
Thu Nov 9 13:14:21 EST 2023
I believe if you cipher is set to one that Juniper no longer supports, i.e. that knob selection is depreciated, the upgrade will not complete. The change in cipher support is due to new vulnerability findings.
SSH Vulnerability, "Deprecated SSH Cryptographic Settings" with Vulnerability Result Type quoting the details of the category under which the alert is identified. For eg, if customer monitoring tool reports "Vulnerability Result Type Name key_exchange diffie-hellman-group14-sha1 host_key ssh-rsa MAC hmac-sha1-**** MAC hmac-sha1". This means the SRX is using deprecated SSH cryptographic settings to communicate.
changes needed under system service ssh to allow only strong ciphers, host key, MACs, algorithm
Settings currently considered deprecated (might change later):
+Ciphers using CFB of OFB -Very uncommon, and deprecated because of weaknesses compared to newer cipher chaining modes such as CTR or GCM
+RC4 cipher (arcfour, arcfour128, arcfour256) - The RC4 cipher has a cryptographic bias and is no longer considered secure
+Ciphers with a 64-bit block size (DES, 3DES, Blowfish, IDEA, CAST) - Ciphers with a 64-bit block size may be vulnerable to birthday attacks (Sweet32)
+Key exchange algorithms using DH group 1 (diffie-hellman-group1-sha1, gss-group1-sha1-*)- DH group 1 uses a 1024-bit key which is considered too short and vulnerable to Logjam-style attacks
+Key exchange algorithm rsa1024sha1 - Very uncommon, and deprecated because of the short RSA key size
+MAC algorithm umac-32 - Very uncommon, and deprecated because of the very short MAC length
Just FYI. Rich
Richard McGovern
Sr Sales Engineer, Juniper Networks
978-618-3342
I’d rather be lucky than good, as I know I am not good
I don’t make the news, I just report it
Juniper Business Use Only
On 11/9/23, 4:43 AM, "Muhammad Aamir" <aamirwwol at gmail.com> wrote:
*try below and do to upgrade again.*
*deactivate system services ssh ciphers *
*Regards,*
*Aamir*
On Thu, Nov 9, 2023 at 12:28 PM Andreas S. Kerber via juniper-nsp <
juniper-nsp at puck.nether.net<mailto:juniper-nsp at puck.nether.net>> wrote:
> Anybody successfully updated MX204 from 21.4R3-S4 to 21.4R3-S5?
> Got a few MX204 and trying to "request vmhost software add" fails
> on each of them.
>
> Anybody got a hint for me?
>
> $ request vmhost software add
> /var/tmp/junos-vmhost-install-mx-x86-64-21.4R3-S5.4.tgz
> Junos Validation begin. Procedure will take few minutes.
> Checking if VirtFS can be used for image install ...
> Required: 7654536554 bytes Available: 21476761600 bytes
> Using VirtFS ...
> {...}
> Hardware Database regeneration succeeded
> Validating against /config/juniper.conf.gz
> mgd: commit complete
> Validation succeeded
> Validating against /config/rescue.conf.gz
> mgd: commit complete
> Validation succeeded
> Verified junos-vmhost-install-mx-x86-64-21.4R3-S5.4 signed by
> PackageDevelopmentECP256_2023 method ECDSA256+SHA256
> Copied the config and other data to the aux disk.
> Transfer junos-host-upgrade.sh
> lost connection
> Transfer Done
> Starting upgrade ...
> sh: /junos/install/junos-host-upgrade.sh: No such file or directory
> rm: cannot remove '/junos/install/junos-host-upgrade.sh': No such file or
> directory
> ... upgrade failed.
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net<mailto:juniper-nsp at puck.nether.net>
> https://urldefense.com/v3/__https://puck.nether.net/mailman/listinfo/juniper-nsp__;!!NEt6yMaO-gk!G2OaM6xbjo9xBebvYLAFzmsY60TWa1c9CQF9RidbdDfPWspCmb6C2V4jaXCLuuv4CySTSQO7tyumJx2GGqGshQb07zvieFBP$<https://urldefense.com/v3/__https:/puck.nether.net/mailman/listinfo/juniper-nsp__;!!NEt6yMaO-gk!G2OaM6xbjo9xBebvYLAFzmsY60TWa1c9CQF9RidbdDfPWspCmb6C2V4jaXCLuuv4CySTSQO7tyumJx2GGqGshQb07zvieFBP$>
>
More information about the juniper-nsp
mailing list