Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
13152
Views
40
Helpful
7
Replies

SSH Weak Key Exchange Algorithms Enabled has been raised on VA Scan

Sufiyan1
Level 1
Level 1

‎02-23-2022 09:54 PM - edited ‎02-23-2022 09:55 PM

Please help to know if anyway to fix this observation or any workaround. 

 

The remote SSH server is configured to allow key exchange algorithms which are considered weak.

This is based on the IETF draft document Key Exchange (KEX) Method Updates and Recommendations for Secure Shell (SSH)
draft-ietf-curdle-ssh-kex-sha2-20. Section 4 lists guidance on key exchange algorithms that SHOULD NOT and MUST NOT be
enabled. This includes:

diffie-hellman-group-exchange-sha1

diffie-hellman-group1-sha1

gss-gex-sha1-*

gss-group1-sha1-*

gss-group14-sha1-*

rsa1024-sha1

Note that this plugin only checks for the options of the SSH server, and it does not check for vulnerable software
versions.

Labels:
0 Helpful
7 Replies 7

Georg Pauwen
VIP
VIP

‎02-24-2022 12:29 AM

Hello,

 

which device is this on (e.g. ASA or IOS) ?

 

You can enable/disable whichever algorithms you want with the command 'ip ssh server algorithm encryption':

 

ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr aes128-cbc 3des-cbc aes192-cbc aes256-cbc

0 Helpful

Sufiyan1
Level 1
Level 1
In response to Georg Pauwen

‎02-27-2022 07:38 AM - edited ‎02-27-2022 07:38 AM

Hello Georg,

 

Thank you for quick reply.

 

This raised on both IOS  and ASA devices to change KEX values as per recommended however only two options are available we can see on IOS devices but on ASA doesn't shows anything wrt of KEX algorithm. 

 

inXXXX #sh ip ssh | i KEX
KEX Algorithms:diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1

 

inXXXX #sh ip ssh | i Encryption
Encryption Algorithms:aes128-ctr,aes192-ctr,aes256-ctr

Rob Ingram
VIP
VIP
In response to Sufiyan1

‎02-27-2022 09:01 AM - edited ‎03-01-2022 02:26 AM

@Sufiyan1 you can change the DH groups on the ASA using the commands - "ssh key-exchange group dh-group14-sha1"

Sufiyan1
Level 1
Level 1
In response to Rob Ingram

‎03-01-2022 02:15 AM

Thank Rob for this info.

Can someone help to know how we can change SSH KEX values on IOS devices as per recommended option to close this weaker SSH KEX algorithm enabled or any info that states current values are not come into weak algorithm.   

 

inXXXX #sh ip ssh | i KEX
KEX Algorithms:diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1

Rob Ingram
VIP
VIP
In response to Sufiyan1

‎03-01-2022 02:25 AM

@Sufiyan1 select one...

 

router(config)#ip ssh dh min size ?
  1024  Diffie Group 1 1024-bit key
  2048  Diffie Group 14 2048-bit key
  4096  Diffie Group 16 4096-bit key

 

Sufiyan1
Level 1
Level 1
In response to Rob Ingram

‎03-11-2022 07:33 AM

@Rob Ingram  So does this dh value change fix this vulnerability.

 

I guess vulnerability is highlighted on below kex algorithm. Could you help to understand on this if this can be changed to recommended value or are we any plan to introduce more secure values. 

  

router(config)#ip ssh server algorithm kex ?
diffie-hellman-group-exchange-sha1 DH_GRPX_SHA1 diffie-hellman key exchange algorithm
diffie-hellman-group14-sha1 DH_GRP14_SHA1 diffie-hellman key exchange algorithm

 

 

0 Helpful

ARPALANISAM
Level 1
Level 1
In response to Sufiyan1

‎08-26-2024 10:44 AM

Device#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Device(config)#ip ssh server algorithm KEX diffie-hellman-group14-sha1
Device(config)#end

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card