Disable weak ciphers on NSX Manager - scanning reports show "SSH Weak Message Authentication Code Algorithms"
search cancel

Disable weak ciphers on NSX Manager - scanning reports show "SSH Weak Message Authentication Code Algorithms"

book

Article ID: 323554

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

Symptoms:

  • Security scanner has determined that a weak cipher is in used.
  • Flagged cipher is ssh-rsa or another sha1 based cipher.
  • When customer runs a scan for vulnerability, they might get "SSH Weak Message Authentication Code Algorithms" and/or description with "The SSH server supports cryptographically weak Hash-based message authentication" 



Environment

VMware NSX-T Data Center

Resolution

This issue will be fixed in future product release.

Workaround:

The following workaround is to be applied on every NSX appliance:

1. SSH to the appliance as "root".

2. Create a copy of sshd_config file:

cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak

3. In section "# Cipher and MAC algorithms", use vi, or vim editor to edit the content as shown below:

Before change:
grep "Cipher and MAC" -A3 /etc/ssh/sshd_config
# Cipher and MAC algorithms
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected],[email protected]
MACs [email protected],[email protected],hmac-sha2-256,hmac-sha2-512
KexAlgorithms curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-ssha512,diffie-hellman-group14-sha256

 

After change:
grep "Cipher and MAC" -A3 /etc/ssh/sshd_config
# Cipher and MAC algorithms
Ciphers [email protected],[email protected]
MACs [email protected],[email protected]
KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521
 
4. Get appliance os version from /etc/os-release file.(This step is optional and should only be followed if host key-based authentication is used in your environment and you wish to disable weak ciphers for this as well)
 
If appliance os is ubuntu 18.04 then add below line (hostkeyalgorithms option) at the end of sshd_config file -
 
hostkeyalgorithms [email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521

If appliance os is ubuntu 20 or greater then add below line (hostkeyalgorithms option) at the end of sshd_config file -


Add below 'hostkey' options for all ubuntu OS at the end of sshd_config file -

hostkey /etc/ssh/ssh_host_ecdsa_key
hostkey /etc/ssh/ssh_host_ed25519_key

5. Restart sshd service:
# service sshd restart

6. Review available cipheres:
# sshd -T | egrep -i 'cipher|kexalgorithms|Macs|hostkey'

Note: If your SSH client (e.g. PuTTY) throws error similar to:
"Couldn't agree a client-to-server cipher (available: [email protected],[email protected])"
Please update your SSH client/PuTTY to the latest available version (e.g. client supporting the ciphers available on NSX appliances).




Additional Information

Impact/Risks:
Security scanner may flag this as security vulnerability.