SHA-1 crack just got real: System Center uses it to talk to Linux
No immediate danger, but Microsoft wants you to deprecate old certs
When Google revealed last week that it had destroyed the SHA-1 algorithm, it hammered another nail into the venerable algo's coffin.
But as we noted in our report on the feat, many applications still use SHA-1. And if you're one of the many Windows shops running Microsoft's System Center Operations Manager Management Server, you've got an exposure.
Your problem stems from the fact that System Center 2016 RTM uses the
sha1WithRSAEncryption signing algorithm for the both agent certificates and signing certificates, for the agents needed to hook Unix and Linux clients to the management tool.
Microsoft has since made the more secure SHA256 algorithm the default in System Center 2012 R2 Operations Manager UR12 and System Center 2016 Operations Manager UR2. But ye olde version 2016 RTM still has SHA-1 sputtering away under the hood and you therefore probably have certs signed with the ancient algo that need upgrading.
The good news is that Microsoft has an explanation on how to upgrade to SHA256 here.
The TL;DR version? Either get your hands on updates to the Unix/Linux management packs, upgrade to the SHA-256-using versions of SCOM or get busy with PowerShell. ®
Sponsored: Becoming a Pragmatic Security Leader