Vulnerability scanners report the OpenSSH vulnerability CVE-2023-48795 on appliances.

VMware vCenter Server 8.x
VMware vCenter Server 7.x
VIO 7.x
Photon OS 3.0/4.0

OpenSSH has been identified with this vulnerability: CVE-2023-48795 Detail

Currently, there is no fix available in appliances that use Photon OS 3.0 and Photon OS 4.0. 

To mitigate the vulnerability, follow the below steps,

1. Login to the Photon OS host (vCenter etc.) using SSH
2. Obtain the existing list of ciphers, macs and kexalgorithms.
3. Take a backup of the sshd config file -- cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bkp
4. Open the config file using vi editor --  vi /etc/ssh/sshd_config
5. Navigate to the lines that has the ciphers, macs and kexalgorithms
6. Remove the below entries from the lines
   
   [email protected]
   [email protected]
   [email protected]
   [email protected]
   [email protected]
7. Save the file
8. Restart the sshd service  - systemctl restart sshd
9. Check output of sshd -T | grep -i "ciphers\|macs\|kexalgorithms" , removed ciphers and hams should not exists in the output.

Note: If the SSHD service fails to restart, review the file with the backup file and modified file for potential typos

Example:

Before fix:

Existing ciphers, macs and kexalgorithms.

root [ ~ ]# sshd -T | grep -i "ciphers\|macs\|kexalgorithms"
ciphers aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
macs hmac-sha2-256,hmac-sha2-512,[email protected],[email protected]
kexalgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256

Content of SSH file: (Here it has only two impacted macs, However, if you find the other entries that are to be removed, please remove it)

root [ ~ ]# egrep -i "ciphers|macs|kexalgorithms" /etc/ssh/sshd_config
# Ciphers and keying
KexAlgorithms   ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
MACs    hmac-sha2-256,hmac-sha2-512,[email protected],[email protected]
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]

After fix:

Existing ciphers, macs and kexalgorithms.

root [ ~ ]#  egrep -i "ciphers|macs|kexalgorithms" /etc/ssh/sshd_config
# Ciphers and keying
KexAlgorithms   ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
MACs    hmac-sha2-256,hmac-sha2-512
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]

Content of SSH file:

root [ ~ ]#  sshd -T | grep -i "ciphers\|macs\|kexalgorithms"
ciphers aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
macs hmac-sha2-256,hmac-sha2-512
kexalgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256