Solved: Re: ASA SSH Keys Failing PCI scan

Skawilly1 · ‎07-10-2018

I have an ASA 5508-X and my bank offers a complimentary service to scan my network for PCI compliance. Everything has been good for a couple of years now. But last month it failed. I checked the results and my IPSec and SSH ciphers were failing. I upped my IPSec to IKEv2 group 14 and moved to AES and SHA256 and that is now passing. However, the SSH keys are still failing. I set the ciphers to 'only high' options and I put the SSH key exchange to group 14. And just for kicks, I set the RSA keys to 4096 strength. Even now the unit is still failing the PCI Scan for the SSH keys and I am not sure what I can do.

I am on ASA 9.8 (2). Here is my SSH Running Config:
aaa authentication ssh console LOCAL
no ssh stricthostkeycheck
ssh Y.Y.Y.Y 255.255.255.255 outside
ssh X.X.X.X 255.255.255.255 outside
ssh timeout 60
ssh version 2
ssh cipher encryption high
ssh cipher integrity high
ssh key-exchange group dh-group14-sha1

Here is the vendors 'failed' message:

Description:

SSH data integrity is protected by including with each packet a MAC that is computed from a shared secret, packet sequence number, and the contents of the packet. The algorithms supported by this SSH server use cryptographically weak hashing (MAC) algorithms for data integrity.
Remediation:

Configure the SSH service to no longer support weak hashing algorithms (aka: MACs)

Now, I do not see a way to do that with the current contexts. Is there an ASA update from 9.8 that will support higher SSH hashing algorithms? Or maybe by turning it to high, I still need to some how disable the weaker ones?

Thanks.

Marvin Rhoads · ‎07-10-2018

The scan report doesn't tell you what is an acceptable hash?

As of right now, here're the supported algorithms on an ASA (an ASAv running the current latest release 9.9(2) in this case):

cielab-asa# sh ver | i bin
System image file is "disk0:/asa992-smp-k8.bin"
ccielab-asa# sh ssh ciphers
Available SSH Encryption and Integrity Algorithms
Encryption Algorithms:
 all: 3des-cbc aes128-cbc aes192-cbc aes256-cbc aes128-ctr aes192-ctr aes256-ctr 
 low: 3des-cbc aes128-cbc aes192-cbc aes256-cbc aes128-ctr aes192-ctr aes256-ctr 
 medium: aes128-cbc aes192-cbc aes256-cbc aes128-ctr aes192-ctr aes256-ctr 
 fips: aes128-cbc aes256-cbc 
 high: aes256-cbc aes256-ctr 
Integrity Algorithms:
 all: hmac-sha1 hmac-sha1-96 hmac-md5 hmac-md5-96 
 low: hmac-sha1 hmac-sha1-96 hmac-md5 hmac-md5-96 
 medium: hmac-sha1 hmac-sha1-96
 fips: hmac-sha1 
 high: hmac-sha1 
ccielab-asa#

You can check what your session has negotiated with the command

show ssh sessions detail

View solution in original post

Dennis Mink · ‎07-10-2018

can you do

HUB#sh ssh
Connection Version Mode Encryption Hmac State Username
0 2.0 IN aes256-ctr hmac-sha1 Session started user
0 2.0 OUT aes256-ctr hmac-sha1 Session started user

this should tell you what MAC you are using. (like hmac above)

you can change to:

HUB(config)#ip ssh client algorithm mac ?
hmac-sha1 HMAC-SHA1 (digest length = key length = 160 bits)
hmac-sha1-96 HMAC-SHA1-96 (digest length = 96 bits, key length = 160 bits)

and that is pretty much the flavours you have

Please remember to rate useful posts, by clicking on the stars below.

Skawilly1 · ‎07-10-2018

Thanks for the reply. I am not seeing those commands or any items close to it. I believe you are working on an older ASA or a router.

Marvin Rhoads · ‎07-10-2018

The scan report doesn't tell you what is an acceptable hash?

As of right now, here're the supported algorithms on an ASA (an ASAv running the current latest release 9.9(2) in this case):

cielab-asa# sh ver | i bin
System image file is "disk0:/asa992-smp-k8.bin"
ccielab-asa# sh ssh ciphers
Available SSH Encryption and Integrity Algorithms
Encryption Algorithms:
 all: 3des-cbc aes128-cbc aes192-cbc aes256-cbc aes128-ctr aes192-ctr aes256-ctr 
 low: 3des-cbc aes128-cbc aes192-cbc aes256-cbc aes128-ctr aes192-ctr aes256-ctr 
 medium: aes128-cbc aes192-cbc aes256-cbc aes128-ctr aes192-ctr aes256-ctr 
 fips: aes128-cbc aes256-cbc 
 high: aes256-cbc aes256-ctr 
Integrity Algorithms:
 all: hmac-sha1 hmac-sha1-96 hmac-md5 hmac-md5-96 
 low: hmac-sha1 hmac-sha1-96 hmac-md5 hmac-md5-96 
 medium: hmac-sha1 hmac-sha1-96
 fips: hmac-sha1 
 high: hmac-sha1 
ccielab-asa#

You can check what your session has negotiated with the command

show ssh sessions detail

Skawilly1 · ‎07-11-2018

I appreciate that info. By this then, there is no way to get the 5508-X firewall to be PCI compliant and I really dont believe that is the case. I will need to work with the PCI scanning vendor and figure out if I am not reading it correctly or if their scans are not working properly.

What is fips, and should I worry about it in this scenario?

Marvin Rhoads · ‎07-11-2018

FIPS is an abbreviation for Federal Information Processing Standard.

There are several standards describing security guidelines (notably FIPS 140-1 and 140-2). Using "FIPS mode" turns on the applicable settings for the ASA. It also includes other measure which must be followed such as physical security and tamper-proofing.