This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
LostBoY
Advisor
‎2021-01-29 04:55 AM

SSH weak algorithm supported

a Vulnerability "SSH weak Algorithms supported" has been reported in R80.10 Gateways.. What is the procedure to resolve this vulnerability ?

are some modifications required in sshd conf file for this ?

Thanks

0 Kudos
7 Replies
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2021-01-29 05:42 AM

Start with reviewing sk106031 depending on the specific finding.

CCSM R77/R80/ELITE
PhoneBoy
Admin
Admin
‎2021-01-29 09:16 AM

You can adjust some of the algorithms offered by modifying the sshd configuration.
However, the version of OpenSSH we use prior to R80.40 is old and does not offer some of the currently recommended algorithms.
Given that R80.10 is End of Support in a few months, it’s highly recommended you upgrade.

LostBoY
Advisor
‎2021-02-03 06:28 AM
In response to PhoneBoy

Yes ..we have an upgrade planned in March for this.

Can you please point out the config i need to modify in sshd file

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2021-02-03 06:36 AM
In response to LostBoY

Hi,

 

Its right in the sk itself:

 

  1. Add the following 2 lines to the /etc/ssh/ssh_config and /etc/ssh/sshd_config files:

    Ciphers aes128-ctr,aes192-ctr,aes256-ctr

    MACs hmac-sha1

    Important: There should be no spaces between ciphers/MACs and commas. 

  2. Remove previous "Ciphers/MACs" lines if they currently exist in the above files.

  3. Restart the SSH server using the service sshd restart command.
Best,
Andy
LostBoY
Advisor
‎2021-02-03 06:54 AM
In response to the_rock

Thanks for the reply..

 

i was looking in the sshd and ssh config files but i dont see any enabled CIPHERS there.

in the ssh config there is a line ciphers aes-.. blowfish.. and so on but it is hashed out .. this line is not present in sshd config file.

So i am a bit confused here.. why the vulnerability is being detected if it is hashed out ? or does no entry in the file related to default ciphers ?

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2021-02-03 06:56 AM
In response to LostBoY

Send me the file privately and I can compare it to one from fresh gateway.

Andy

Best,
Andy
Bob_Zimmerman
MVP Gold
MVP Gold
‎2021-02-03 07:10 AM
In response to LostBoY

The OpenBSD developers (and OpenSSH is an OpenBSD project) include default values for most configurable items. These default values don't need anything in the config file to work, but they include them in the config file anyway as a valid config line which would result in the same behavior as the default, commented out.

You can either remove the "# " at the start of the line and edit it to your requirements (the defaults for a given OpenSSH version are easy enough to find online), or you can add a new line in the file meeting your requirements.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events