Security scans on vSphere replication appliance may report SSH WEAK MESSAGE AUTHENTICATION CODE ALGORITHM
Article ID: 313977
Updated On:
Products
VMware Live Recovery
Issue/Introduction
The purpose of this document is to list the steps to mitigate this reported vulnerability
This document provides mitigation steps specifically when the MAC algorithm is considered weak because a known weak hashing function is used
Symptoms:
This document provides mitigation steps specifically when the MAC algorithm is considered weak because a known weak hashing function is used
Symptoms:
Security scans on vSphere Replication Appliances may report the below:
"The SSH server supports cryptographically weak Hash-Based Message Authentication Codes (HMACs) including MD5 or 96-bit Has-Based Algorithms"
The scan report will also list the insecure algorithms that it may have found e.g.
Insecure algorithms in use:
Environment
VMware Site Recovery Manager 8.x
Cause
SSH MAC algorithms are used to validate data integrity and authenticity.
The MAC algorithm uses a message and private key to generate the fixed length MAC.
MAC algorithms may be considered weak for the following reasons:
This article provides steps to mitigate the vulnerability when the the MAC algorithm is weak because a known weak hashing function (e.g. MD5)is used
The MAC algorithm uses a message and private key to generate the fixed length MAC.
MAC algorithms may be considered weak for the following reasons:
- A known weak hashing function is used (MD5)
- The digest length is too small (Less than 128 bits)
- The tag size is too small (Less than 128 bits)
This article provides steps to mitigate the vulnerability when the the MAC algorithm is weak because a known weak hashing function (e.g. MD5)is used
Resolution
1. List the insecure MAC algorithms from the Vulnerability Scan Report
2. Log in HMS appliance
3. Back up the file /etc/ssh/sshd_config
4. Open /etc/ssh/sshd_config using a file editor
5. Locate the insecure algorithms and remove them 6. Save the file /etc/ssh/sshd_config
7. Restart the SSH daemon:
e.g. the insecure algorithms are:
• [email protected]
• [email protected]
• [email protected]
• hmac-sha1
• [email protected]
• [email protected]
• [email protected]
• hmac-sha1
2. Log in HMS appliance
3. Back up the file /etc/ssh/sshd_config
4. Open /etc/ssh/sshd_config using a file editor
5. Locate the insecure algorithms and remove them 6. Save the file /etc/ssh/sshd_config
7. Restart the SSH daemon:
systemctl restart sshd
Feedback
Yes
No
Powered by
