OpenSSH vulnerability CVE-2023-48795 in VCSA
search cancel

OpenSSH vulnerability CVE-2023-48795 in VCSA

book

Article ID: 376844

calendar_today

Updated On:

Products

VMware vCenter Server 7.0 VMware vCenter Server 8.0

Issue/Introduction

Vulnerability scanners report the OpenSSH vulnerability CVE-2023-48795 on vCenter

Environment

VMware vCenter Server 8.0

VMware vCenter Server 7.0

Cause

OpenSSH has been identified with the below vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2023-48795

Resolution

Follow the below steps to mitigate this vulnerability.

  • Login to the vCenter using SSH
  • Obtain the existing list of ciphers, macs and kexalgorithms.
  • Take a backup of the sshd config file -- cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bkp
  • Open the config file using vi editor --  vi /etc/ssh/sshd_config
  • Navigate to the lines that has the ciphers, macs and kexalgorithms
  • Remove the below entries from the lines

 1. [email protected]
 2. [email protected]
 3. [email protected]
 4. [email protected]
 5. [email protected]

  • Save the file
  • Restart the sshd service  - systemctl restart sshd
  • Check output of sshd -T | grep -i "ciphers\|macs\|kexalgorithms" , removed ciphers and hams should not exists in the output.

 

If the SSHD service fails to restart, review the file with the backup file and modified file for potential typos

Additional Information

Example:

Before fix:

Existing ciphers, macs and kexalgorithms.

root [ ~ ]# sshd -T | grep -i "ciphers\|macs\|kexalgorithms"
ciphers aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
macs hmac-sha2-256,hmac-sha2-512,[email protected],[email protected]
kexalgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256

Content of SSH file: (Here it has only two impacted macs, However, if you find the other entries that are to be removed, please remove it)


root [ ~ ]# egrep -i "ciphers|macs|kexalgorithms" /etc/ssh/sshd_config
# Ciphers and keying
KexAlgorithms   ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
MACs    hmac-sha2-256,hmac-sha2-512,[email protected],[email protected]
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]

 

After fix:

Existing ciphers, macs and kexalgorithms.

root [ ~ ]#  egrep -i "ciphers|macs|kexalgorithms" /etc/ssh/sshd_config
# Ciphers and keying
KexAlgorithms   ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
MACs    hmac-sha2-256,hmac-sha2-512
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]

Content of SSH file:

root [ ~ ]#  sshd -T | grep -i "ciphers\|macs\|kexalgorithms"
ciphers aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
macs hmac-sha2-256,hmac-sha2-512
kexalgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256

Powered by Wolken Software