SSH Weak Key Exchange Algorithms Enabled
search cancel

SSH Weak Key Exchange Algorithms Enabled

book

Article ID: 270186

calendar_today

Updated On:

Products

Data Loss Prevention Network Monitor and Prevent for Email and Web Data Loss Prevention Data Loss Prevention Enforce Data Loss Prevention Enterprise Suite

Issue/Introduction

SSH Weak Key Exchange Algorithms Enabled

The remote SSH server is configured to allow weak key exchange algorithms.
The remote SSH server is configured to allow key exchange algorithms which are considered weak.

This is based on the IETF draft document Key Exchange (KEX) Method Updates and Recommendations for Secure Shell (SSH) draft-ietf-curdle-ssh-kex-sha2-20.
Section 4 lists guidance on key exchange algorithms that SHOULD NOT and MUST NOT be enabled.
This includes:

diffie-hellman-group-exchange-sha1

diffie-hellman-group1-sha1

gss-gex-sha1-*

gss-group1-sha1-*

gss-group14-sha1-*

rsa1024-sha1

Note that this plugin only checks for the options of the SSH server, and it does not check for vulnerable software versions.

Resolution

The vulnerability is specific to SSH configuration/service of the Linux server.
This vulnerability does not apply to the DLP application.

Powered by Wolken Software