Security scans may report the SHA-1 vulnerability (QID-38909) in VMware Identity Manager (vIDM).

SHA-1's main vulnerability lies in its weak collision resistance, meaning attackers can potentially generate two distinct inputs that result in the same hash value. As a result, it is strongly recommended to disable SHA-1 on Security Analytics systems.

This issue affects vIDM Appliance versions 3.3.x.

To mitigate the SHA-1 vulnerability, perform the following steps:

1. Backup Configuration Files

   Log in as root and back up the SSH configuration files:

    

   cp /etc/ssh/ssh_config /etc/ssh/ssh_config.old

   cp /etc/ssh/sshd_config /etc/ssh/sshd_config.old

2. Edit SSH Configuration Files

   Open the SSH configuration files for editing:

    

   vim /etc/ssh/ssh_config

   vim /etc/ssh/sshd_config

• • Remove Weak MAC Algorithms

    In both files, locate and remove hmac-sha1(see blow) from the MACs line.

     

    • [email protected]
    • hmac-sha1

  • Disable Host Key Algorithm

    Comment the HostKey /etc/ssh/ssh_host_rsa_key line by adding a # at the beginning of the line.  The resulting line should look like this:
    
    #HostKey /etc/ssh/ssh_host_rsa_key

  • Add ecdsa and ed25519 as HostKey parameters.  Add these as new lines to the bottom of the config file
    
    HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

     

3. Restart SSH Service

   Apply the changes by restarting the SSH service:

    

   systemctl restart sshd 

vIDM engineering has confirmed that the appliance does not use SHA-1 on version 3.3.7
This can be validated from this config file /etc/ssh/sshd_config
Engineering team confirmed that it is using only SHA2 based on the snippet below.
KexAlgorithms ecdh-sha2nistp521,ecdhsha2nistp384,ecdhsha2-nistp256,diffie-hellman-group-exchange-sha256.