05-23-2023 05:12 AM
One of our customer's Cisco ASA firewall was found vulnerable to "Diffie-Hellman Ephemeral Key Exchange DoS Vulnerability (SSH,
D(HE)ater)" following a vulnerability scan.
The CVE could either be CVE-2002-20001 or, most likely, CVE-2022-40735.
The firmware is ASA 9.15 and this is the SSH configuration (some redacted for privacy)
customer# show run ssh
ssh stricthostkeycheck
ssh timeout 10
ssh version 2
ssh key-exchange group dh-group14-sha1
ssh x.x.x.x 255.255.255.0 outside
ssh x.x.x.x 255.255.255.0 inside
ssh x.x.x.x 255.255.255.0 inside
ssh x.x.x.x 255.255.255.0 inside
ssh x.x.x.x 255.255.255.255 inside
I have no idea how to solve this problem, despite having read a dozen security blogs and documents of various kinds.
From what I found online, the solution would be to use "either elliptic-curve variant of Diffie-Hellman (ECDHE) or RSA key exchange", but the ASA supports only these key-exchange groups:
dh-group1-sha1 Diffie-Hellman group 2 (DEPRECATED)
dh-group14-sha1 Diffie-Hellman group-14-sha1
dh-group14-sha256 Diffie-Hellman group-14-sha256
Any solutions available?
Solved! Go to Solution.
05-23-2023 06:14 AM
@MarcoLazzarotto upgrade to ASA 9.16 or higher, which have SSH security improvements. https://www.cisco.com/c/en/us/td/docs/security/asa/asa916/release/notes/asarn916.html
Set the Diffie-Hellman (DH) key exchange mode: ssh key-exchange group {curve25519-sha256 | dh-group1-sha1 | dh-group14-sha1 | dh-group14-sha256 | ecdh-sha2-nistp256
05-23-2023 06:14 AM
@MarcoLazzarotto upgrade to ASA 9.16 or higher, which have SSH security improvements. https://www.cisco.com/c/en/us/td/docs/security/asa/asa916/release/notes/asarn916.html
Set the Diffie-Hellman (DH) key exchange mode: ssh key-exchange group {curve25519-sha256 | dh-group1-sha1 | dh-group14-sha1 | dh-group14-sha256 | ecdh-sha2-nistp256
05-23-2023 06:36 AM
Thank you @Rob Ingram
05-23-2023 06:32 AM - edited 05-23-2023 06:37 AM
https://www.cisco.com/c/en/us/td/docs/security/asa/compatibility/asamatrx.html
first check the ASA platform with link above for the compatible with ver. higher than 9.15
start from 9.16 the key exchange include elliptic
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide