VNX: Qualsys scan flagging QID 38739 - Deprecated SSH Cryptographic Settings (User Correctable)
Summary: VNX: Qualsys scan flagging QID 38739 - Deprecated SSH Cryptographic Settings (User Correctable)
Symptoms
Qualsys scan picks up the following QID:
QID 38739 - Deprecated SSH Cryptographic Settings
Cause
Resolution
There are a couple possible reasons this QID can flag. There should be specific reasons listed in the scan that should clarify why its coming up.
The first reason that can flag is due to the SSH cipher list. By default on some versions of code older arcfour and blowfish ciphers are in the cipher list.
How to check and modify the current cipher list:
1. su to root
2. Run this command:
grep -i cipher /etc/ssh/sshd_config
Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr
3. vi the file and modify the cipher list in /etc/ssh/sshd_config so only the ctr based ciphers remain.
You should end up with a Cipher line like this:
Ciphers aes128-ctr,aes192-ctr,aes256-ctr
Or like this if you want to still support cbc based ciphers:
Ciphers aes128-ctr,aes256-ctr,aes128-cbc,aes256-cbc
4.Save the file, then restart sshd
/sbin/service sshd restart
If the scan calls out an unsupported key exchange algorithm:
Generally the scan will flag this QID on a VNX due to us supporting diffie-helman-group1-sha1 as a key exchange algorithm for SSH. In VNX/VNX2 code we are running older versions of OpenSSH that do not support modifying the key exchange algorithm list At the current time there is no way to remove diffie-helman-group1-sha1 and there are no plans to upgrade OpenSSH to allow that support (The KexAlgorithms option does not exist in our OpenSSH version. In newer versions of OpenSSH it can be set in sshd_conf to specify what key exchange algorithms can be used). Diffie-helman-group1-sha1 does not have any known vulnerabilities in SSH currently and the only potential issue is the smaller 1024 bit key size. There is a known vulnerability in TLS regarding diffie-helman-group1-sha1 ( CVE-2015-4000) but that is already being mitigated in httpd.conf by disabling export ciphers and does not apply to SSH.
At the moment there is no way to disable diffie-helman-group1-sha1 as a key exchange algorithm for SSH and there are no plans to add that functionality. It can be restricted on the client side, but there is no way to disable it on the control station's SSH server.
Additional Information
| https://downloads.dell.com/TranslatedPDF/PT-BR_KB535545.pdf |
| https://downloads.dell.com/TranslatedPDF/ZH-CN_KB535545.pdf |
| https://downloads.dell.com/TranslatedPDF/AR-EG_KB535545.pdf |
| https://downloads.dell.com/TranslatedPDF/DE_KB535545.pdf |
| https://downloads.dell.com/TranslatedPDF/ES_KB535545.pdf |
| https://downloads.dell.com/TranslatedPDF/FR_KB535545.pdf |
| https://downloads.dell.com/TranslatedPDF/KO_KB535545.pdf |
| https://downloads.dell.com/TranslatedPDF/JA_KB535545.pdf |
| https://downloads.dell.com/TranslatedPDF/IT_KB535545.pdf |
| https://downloads.dell.com/TranslatedPDF/NL_KB535545.pdf |
| https://downloads.dell.com/TranslatedPDF/PT_KB535545.pdf |
| https://downloads.dell.com/TranslatedPDF/RU_KB535545.pdf |
| https://downloads.dell.com/TranslatedPDF/SV_KB535545.pdf |