After running penetration test on EDR system, it is recommended to disable weak ciphers.

What the pen testing report states:

Ref: https://learn.microsoft.com/en-us/answers/questions/1521860/how-to-disable-weak-cipher-protocols-and-keys-from

Description

Weak SSH ciphers refer to outdated or insecure cryptographic algorithms and encryption methods used in the SSH (Secure Shell) protocol for securing remote access to computer systems and network devices. These ciphers may have known vulnerabilities, rendering the SSH communication less secure. SSH ciphers are essential for protecting sensitive data and ensuring secure authentication during remote connections.

Impact

• Weak SSH ciphers can expose your system to known security vulnerabilities and attacks, potentially leading to unauthorized access, data breaches, and system compromise.
• Attackers can intercept and decipher SSH traffic encrypted with weak ciphers, exposing sensitive data and login credentials.
• Weak ciphers increase the risk of eavesdropping by malicious actors, allowing them to capture sensitive information, such as passwords or confidential data, as it traverses the network.
• Using weak SSH ciphers can lead to non-compliance with security standards and regulations, potentially resulting in legal and financial consequences for your organization.

Recommendations

The remediation recommendations are listed below must be applied:

• Review and update your SSH server configuration to disable weak ciphers and prioritize strong, secure encryption algorithms through the following guide.
• Configure your SSH server to use modern cryptographic ciphers and algorithms that are considered secure, such as AES (Advanced Encryption Standard) and SHA-2 (Secure Hash Algorithm 2).
• Disable known weak and deprecated SSH algorithms, including older encryption methods like DES (Data Encryption Standard) and 3DES (Triple DES).
• Keep your SSH server and client software up to date by applying security patches and updates.
• SSH software providers often release updates to address vulnerabilities and improve security.

EDR -4.10 version

Following two insecure cipher algorithms are disabled by 4.10 HF3:

• CBC cipher block mode
• SHA1 hash algorithm

Once SEDR 4.10 HF3 is applied, the reboot is required.

Following commands can be run on EDR CLI to install Hotfix3 for 4.10:

1. To check the patch is available: patch list -v atp-patch3-4.10.0-1
2. To download the patch: patch download atp-patch3-4.10.0-1
3. To install: patch install atp-patch3-4.10.0-1

How to confirm that cipher is disabled or still in use?

While the -Q option shows a cipher list under configuration file has as a default. however, it does not mean we allow using these ciphers. In order to check, what ciphers are in use, the following test can be performed:

Here is an example to see which cipher algorithm is allowed to connect:

• nmap <EDR_IP>
• ssh client <EDR_IP>

Here is how it looks like.

~ % ssh -Q cipher -l root 10.xxx.xxx.xx
3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
aes128-ctr
aes192-ctr
aes256-ctr
aes128-gcm@openssh.com
aes256-gcm@openssh.com
chacha20-poly1305@openssh.com
% ssh -c aes128-cbc -l admin 10.xxx.xxx.xx Unable to negotiate with 10.xxx.xxx.xx port 22: no matching cipher found. Their offer: aes128-ctr,aes192-ctr,aes256-ctr
% ssh -m hmac-sha1 -l admin 10.xxx.xxx.xx Unable to negotiate with 10.xxx.xxx.xx port 22: no matching MAC found. Their offer: hmac-sha2-256,hmac-sha2-512

Also there is a note during a patch installation, they should reboot the appliance. Otherwise a crypto policy does not enforce.

NOTE: System-wide crypto policies are applied on application start-up. It is recommended to restart the system for the change of policies to fully take place.