topic Re: SSH Weak Key Exchange Algorithms Enabled has been raised on VA Sca in Network Security

SSH Weak Key Exchange Algorithms Enabled has been raised on VA Scan

Sufiyan1 — Thu, 24 Feb 2022 05:55:36 GMT

Please help to know if anyway to fix this observation or any workaround.

The remote SSH server is configured to allow key exchange algorithms which are considered weak.

This is based on the IETF draft document Key Exchange (KEX) Method Updates and Recommendations for Secure Shell (SSH)
draft-ietf-curdle-ssh-kex-sha2-20. Section 4 lists guidance on key exchange algorithms that SHOULD NOT and MUST NOT be
enabled. This includes:

diffie-hellman-group-exchange-sha1

diffie-hellman-group1-sha1

gss-gex-sha1-*

gss-group1-sha1-*

gss-group14-sha1-*

rsa1024-sha1

Note that this plugin only checks for the options of the SSH server, and it does not check for vulnerable software
versions.

Re: SSH Weak Key Exchange Algorithms Enabled has been raised on VA Sca

Georg Pauwen — Thu, 24 Feb 2022 08:29:08 GMT

Hello,

which device is this on (e.g. ASA or IOS) ?

You can enable/disable whichever algorithms you want with the command 'ip ssh server algorithm encryption':

ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr aes128-cbc 3des-cbc aes192-cbc aes256-cbc

Re: SSH Weak Key Exchange Algorithms Enabled has been raised on VA Sca

Sufiyan1 — Sun, 27 Feb 2022 15:38:42 GMT

Hello Georg,

Thank you for quick reply.

This raised on both IOS and ASA devices to change KEX values as per recommended however only two options are available we can see on IOS devices but on ASA doesn't shows anything wrt of KEX algorithm.

inXXXX #sh ip ssh | i KEX
KEX Algorithms:diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1

inXXXX #sh ip ssh | i Encryption
Encryption Algorithms:aes128-ctr,aes192-ctr,aes256-ctr

Re: SSH Weak Key Exchange Algorithms Enabled has been raised on VA Sca

Rob Ingram — Tue, 01 Mar 2022 10:26:05 GMT

@Sufiyan1 you can change the DH groups on the ASA using the commands - "ssh key-exchange group dh-group14-sha1"

Re: SSH Weak Key Exchange Algorithms Enabled has been raised on VA Sca

Sufiyan1 — Tue, 01 Mar 2022 10:15:11 GMT

Thank Rob for this info.

Can someone help to know how we can change SSH KEX values on IOS devices as per recommended option to close this weaker SSH KEX algorithm enabled or any info that states current values are not come into weak algorithm.

inXXXX #sh ip ssh | i KEX
KEX Algorithms:diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1

Re: SSH Weak Key Exchange Algorithms Enabled has been raised on VA Sca

Rob Ingram — Tue, 01 Mar 2022 10:25:30 GMT

@Sufiyan1 select one...

router(config)#ip ssh dh min size ?
  1024  Diffie Group 1 1024-bit key
  2048  Diffie Group 14 2048-bit key
  4096  Diffie Group 16 4096-bit key

Re: SSH Weak Key Exchange Algorithms Enabled has been raised on VA Sca

Sufiyan1 — Fri, 11 Mar 2022 15:33:34 GMT

@Rob Ingram So does this dh value change fix this vulnerability.

I guess vulnerability is highlighted on below kex algorithm. Could you help to understand on this if this can be changed to recommended value or are we any plan to introduce more secure values.

router(config)#ip ssh server algorithm kex ?
diffie-hellman-group-exchange-sha1 DH_GRPX_SHA1 diffie-hellman key exchange algorithm
diffie-hellman-group14-sha1 DH_GRP14_SHA1 diffie-hellman key exchange algorithm

Re: SSH Weak Key Exchange Algorithms Enabled has been raised on VA Sca

ARPALANISAM — Mon, 26 Aug 2024 17:44:54 GMT

Device#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Device(config)#ip ssh server algorithm KEX diffie-hellman-group14-sha1
Device(config)#end