Remove the deprecated SSH cryptographic settings from VIDM Appliance
Article ID: 327325
Updated On:
Products
VMware
Issue/Introduction
The purpose of this document is to list the steps to mitigate the reported vulnerability.
This document provides mitigation steps specifically when the MAC algorithm considered weak is used due to a weak hashing function.
Symptoms:
This document provides mitigation steps specifically when the MAC algorithm considered weak is used due to a weak hashing function.
Symptoms:
Security scans on VIDM Appliance may report the below:
"The SSH server supports cryptographically weak Hash-Based Message Authentication Codes (HMACs)"
The scan report will also list the insecure algorithms that it may have found e.g.
Insecure algorithms in use:
- [email protected]
- hmac-sha1
Environment
VMware Identity Manager 3.3.x
Cause
SSH MAC algorithms are used to validate data integrity and authenticity.
The MAC algorithm uses a message and private key to generate the fixed-length MAC.
MAC algorithms may be considered weak for the following reasons:
- A known weak hashing function is used (MD5)
- The digest length is too small (Less than 128 bits)
- The tag size is too small (Less than 128 bits)
Resolution
If you are running a cluster deployment, repeat the below steps on all additional nodes of the cluster.
- Backup the config files
- cp /etc/ssh/ssh_config /etc/ssh/ssh_config.old
- cp /etc/ssh/sshd_config /etc/ssh/sshd_config.old
- Open the below config files one by one
- vim /etc/ssh/ssh_config
- vim /etc/ssh/sshd_config
- Remove the below MAC’s and save the config files
- [email protected]
- hmac-sha1
- Restart the SSHD service.
- systemctl restart sshd
Feedback
Yes
No
Powered by
