The purpose of this document is to list the steps to mitigate the reported vulnerability.

This document provides mitigation steps specifically when the MAC algorithm considered weak is used due to a weak hashing function.

Symptoms:

Security scans on VIDM Appliance may report the below:

"The SSH server supports cryptographically weak Hash-Based Message Authentication Codes (HMACs)"
The scan report will also list the insecure algorithms that it may have found e.g.

Insecure MAC algorithms in use:

• [email protected]
• hmac-sha1

SSH MAC algorithms are used to validate data integrity and authenticity. 
The MAC algorithm uses a message and private key to generate the fixed-length MAC.

MAC algorithms may be considered weak for the following reasons:

1. A known weak hashing function is used (MD5)
2. The digest length is too small (Less than 128 bits)
3. The tag size is too small (Less than 128 bits)

1. Backup the config files 
   • cp /etc/ssh/ssh_config /etc/ssh/ssh_config.old
   • cp /etc/ssh/sshd_config  /etc/ssh/sshd_config.old
2. Open the below config files one by one 
   • vim /etc/ssh/ssh_config 
   • vim /etc/ssh/sshd_config 
3. Remove the below MAC’s and save the config files 
   • [email protected]
   • hmac-sha1
4. Restart the SSHD service.
   • systemctl restart sshd