https://community.checkpoint.com/t5/General-Topics/Vulnerability-on-our-SMS/m-p/202988#M33784 <P>We have scanned our SMS Server and found 2 vulnerablities. Can anyone suggest me how to fix them?&nbsp;<BR /><BR />1.&nbsp;Weak Key Exchange (KEX) Algorithm(s) Supported (SSH)</P><P>The remote SSH server is configured to allow / support weak key exchange (KEX) algorithm(s).<BR />Port 22/tcp</P><P>2.&nbsp;Weak Encryption Algorithm(s) Supported (SSH)</P><P>The remote SSH server is configured to allow / support weak encryption algorithm(s).<BR />Port 22/tcp</P> Sat, 13 Jan 2024 07:56:03 GMT gemechisd 2024-01-13T07:56:03Z https://community.checkpoint.com/t5/General-Topics/Vulnerability-on-our-SMS/m-p/202988#M33784 <P>We have scanned our SMS Server and found 2 vulnerablities. Can anyone suggest me how to fix them?&nbsp;<BR /><BR />1.&nbsp;Weak Key Exchange (KEX) Algorithm(s) Supported (SSH)</P><P>The remote SSH server is configured to allow / support weak key exchange (KEX) algorithm(s).<BR />Port 22/tcp</P><P>2.&nbsp;Weak Encryption Algorithm(s) Supported (SSH)</P><P>The remote SSH server is configured to allow / support weak encryption algorithm(s).<BR />Port 22/tcp</P> Sat, 13 Jan 2024 07:56:03 GMT https://community.checkpoint.com/t5/General-Topics/Vulnerability-on-our-SMS/m-p/202988#M33784 gemechisd 2024-01-13T07:56:03Z https://community.checkpoint.com/t5/General-Topics/Vulnerability-on-our-SMS/m-p/202989#M33785 <P>See the resources posted in reply to this discussion amongst others:</P> <P><A href="https://community.checkpoint.com/t5/Management/How-to-disable-weak-ssh-cipher-on-R80-40-R81-10/td-p/189713#M35893" target="_blank">https://community.checkpoint.com/t5/Management/How-to-disable-weak-ssh-cipher-on-R80-40-R81-10/td-p/189713#M35893</A></P> Sat, 13 Jan 2024 08:11:33 GMT https://community.checkpoint.com/t5/General-Topics/Vulnerability-on-our-SMS/m-p/202989#M33785 Chris_Atkinson 2024-01-13T08:11:33Z https://community.checkpoint.com/t5/General-Topics/Vulnerability-on-our-SMS/m-p/202990#M33786 <P>Which KEX and MAC were identified as weak by the scanner?</P> Sat, 13 Jan 2024 11:46:37 GMT https://community.checkpoint.com/t5/General-Topics/Vulnerability-on-our-SMS/m-p/202990#M33786 JozkoMrkvicka 2024-01-13T11:46:37Z https://community.checkpoint.com/t5/General-Topics/Vulnerability-on-our-SMS/m-p/202992#M33787 <P>I would say what&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/3630">@Chris_Atkinson</a>&nbsp;gave is your solution. Btw, you can also run cipher_util from expert mode and see options available there.</P> <P>Best,</P> <P>Andy</P> Sat, 13 Jan 2024 13:45:37 GMT https://community.checkpoint.com/t5/General-Topics/Vulnerability-on-our-SMS/m-p/202992#M33787 the_rock 2024-01-13T13:45:37Z https://community.checkpoint.com/t5/General-Topics/Vulnerability-on-our-SMS/m-p/203088#M33793 <P><a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/1702">@JozkoMrkvicka</a>&nbsp;<BR /><BR />For KEX<BR /><BR />- Disable the reported weak KEX algorithm(s)<BR />&nbsp; &nbsp; &nbsp;1024-bit MODP group / prime KEX algorithms:<BR />&nbsp; &nbsp; &nbsp;Alternatively use elliptic-curve Diffie-Hellmann in general, e.g. Curve 25519.<BR /><BR />2. For MAC<BR />&nbsp; &nbsp; &nbsp;Disable the reported weak encryption algorithm(s).<BR /><BR /><BR /><BR /></P> Mon, 15 Jan 2024 12:00:37 GMT https://community.checkpoint.com/t5/General-Topics/Vulnerability-on-our-SMS/m-p/203088#M33793 gemechisd 2024-01-15T12:00:37Z