Deprecated SSH Cryptographic Settings
02 Jan
Security

Security Vulnerability: Deprecated SSH Cryptographic Settings

In this article discuss about Deprecated SSH Cryptographic Settings in Linux Operating System. In Qualys security Scanner scans it is found to be a vulnerability in Centos/RHEL Machine as shown below example.

The SSH (Secure Shell) protocol allows for secure remote login from one Linux machine to another Linux machine. To communicate, the target supports deprecated SSH cryptographic settings. A man-in-the-middle attacker could use this vulnerability to record the communication and decrypt the session key and messages.

Visit Red Hat official page for more information about deprecated functionality

 

Deprecated SSH Cryptographic in CENTOS

Check OpenSSH SSH daemon configuration file run below command in your Linux Operating System.

man sshd_config

 

Read the file you could found below data you can find the supported and default ciphers and kex exchange algorithms.

Ciphers:

The supported ciphers are:

  • 3des-cbc
  • aes128-cbc
  • aes192-cbc
  • aes256-cbc
  • aes128-ctr
  • aes192-ctr
  • aes256-ctr
  • aes128-gcm@openssh.com
  • aes256-gcm@openssh.com
  • blowfish-cbc
  • cast128-cbc
  • chacha20-poly1305@openssh.com

 

Verify KexAlgorithms as well as shown below

KexAlgorithms

  1. curve25519-sha256
  2. curve25519-sha256@libssh.org
  3. diffie-hellman-group1-sha1
  4. diffie-hellman-group14-sha1
  5. diffie-hellman-group-exchange-sha1
  6. diffie-hellman-group-exchange-sha256
  7. ecdh-sha2-nistp256
  8. ecdh-sha2-nistp384
  9. ecdh-sha2-nistp521

 

NOTE: Deprecated SSH Cryptographic Settings in Linux machine is severity level 3 vulnerability.

I have Centos7 Machine contains Ciphers with a 64-bit block size and Key exchange algorithms using Diffie–Hellman as shown below.

Type                             Name
key exchange              diffie-hellman-group1-sha1
cipher                           blowfish-cbc
cipher                            cast128-cbc
cipher                           3des-cbc

 

Vulnerability of General Remote Services SSH Cryptographic

THREAT:

The SSH (Secure Shell) protocol allows for secure remote login from one computer to another.
To communicate, the target implements deprecated SSH cryptographic settings.

IMPACT:

An attacker may exploit this vulnerability to decrypt the messages and the session key by working as a man-in-the-middle.

SOLUTION:

Make sure you do not use deprecated cryptographic settings when configuring SSH.

 

Recommended Actions:

Step1:  Login into Linux machine as a root user and run below command. You can find available Key exchange algorithms

sshd -T|grep kex

 

Output:

[root@bhanuwriter etc]# sshd -T|grep kex
kexalgorithms curve25519-sha256, curve25519-sha256@libssh.org, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group-exchange-sha256 ,diffie-he, diffie-hellman-group18-sha512, diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha256, diffie-hellman-group14-sha1, diffie-hellman-group1-sha1

 

As you could see above output diffie-hellman-group1-sha1 is existing.

 

Step2: To find list of default available ciphers

sshd -T|grep ciphers

Output:

[root@bhanuwriter etc]# sshd -T|grep ciphers
ciphers chacha20-poly1305@openssh.com, aes128-ctr, aes192-ctr, aes256-ctr, aes128-gcm@openssh.com, aes256-gcm@openssh.com, aes128-cbc, aes192-cbc, aes256-cbc, blowfish-cbc, cipher cast128-cbc, cipher 3des-cbc

 

As you could see above output blowfish-cbc , cipher cast128-cbc, cipher 3des-cbc is existing.

 

Step3: In order to avoid using deprecated cryptographic settings in Linux machine, we need to add a new entry in system-wide configuration file for OpenSSH.

Copy the ciphers and key exchange algorithms output into a notepad. Remove the deprecated cryptographic settings like diffie-hellman-group1-sha1, blowfish-cbc , cipher cast128-cbc, cipher 3des-cbc and copy the rest of content and past into sshd configuration file as shown below

 

vi /etc/ssh/sshd_config

 

Deprecated SSH Cryptographic Settings

SSH vulnerabilities MAC algorithms and CBC ciphers

 

Kexalgorithms curve25519-sha256, curve25519-sha256@libssh.org, ecdh-sha2-nistp256, ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1

Ciphers chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc

 

Step4:  Restart sshd service in your machine

systemctl restart sshd
systemctl status sshd

 

Step5: Now check the current status of ciphers and key exchange algorithms in your local machine by using debugging as below command

ssh -vvv root@localhost

 

Output shows active   Key Exchange algorithms, Message authentication code algorithms, Ciphers.

The vulnerability won’t be reported after deprecated ciphers have been removed. In my previous article discussed about disabled HTTP track method in Linux machine since it is severity 3 vulnerability.

 

Conclusion:

Deprecated SSH Cryptographic Settings issue has been fixed successfully. If you have any questions about this topic, please leave a comment.

 

Next PostDisable diffie-hellman-group1-sha1 for SSH Previous PostInstall OpenSSL on Windows Platform

Leave a Reply

Your email address will not be published. Required fields are marked *