Reset Search
 

 

Article

How to address security vulnerability 71049 SSH Server Weak mac algorithms enabled

« Go Back

Information

 
TitleHow to address security vulnerability 71049 SSH Server Weak mac algorithms enabled
Symptoms
Security scanner reports security vulnerability that ssh server is configured to allow either MD5 or 96-bit MAC algorithms, both of which are considered weak.

71049 SSH Server Weak mac algorithms enabled
Environment
Software Release: NOS 6.0.1
Fixed in Version: N/A
Cause
Either MD5 or 96-bit MAC algorithms is configured.
Resolution
Configure with stronger mac algorithms and restart the ssh server and ssh client setting. 
  • If the SSH Server is configured using the mgmt-vrf(default setting)
    sw0# conf t
    Entering configuration mode terminal
    sw0(config)# rb 1
    sw0(config-rbridge-id-1)# ssh server mac hmac-sha1,hmac-sha2-256,hmac-sha2-512
    sw0(config-rbridge-id-1)# ssh client mac hmac-sha1,hmac-sha2-256,hmac-sha2-512
    sw0(config-rbridge-id-1)#
    sw0(config-rbridge-id-1)# do show ssh server status
    rbridge-id 1:SSH server status:Enabled
    rbridge-id 1:SSH Server Cipher: aes192-cbc,aes128-ctr
    rbridge-id 1:SSH Server Mac : hmac-sha1,hmac-sha2-256,hmac-sha2-512
    sw0(config-rbridge-id-1)# do show ssh client status
    rbridge-id 1:SSH Client Cipher: aes192-cbc,aes128-ctr
    rbridge-id 1:SSH Client Mac : hmac-sha1,hmac-sha2-256,hmac-sha2-512
    sw0(config-rbridge-id-1)#
    sw0(config-rbridge-id-1)# ssh server shutdown     
    sw0(config-rbridge-id-1)# no ssh server shutdown  
    sw0(config-rbridge-id-1)#
    sw0(config-rbridge-id-1)# do show ssh server status
    rbridge-id 1:SSH server status:Enabled
    rbridge-id 1:SSH Server Cipher: aes192-cbc,aes128-ctr
    rbridge-id 1:SSH Server Mac : hmac-sha1,hmac-sha2-256,hmac-sha2-512
    sw0(config-rbridge-id-1)# do show ssh client status
    rbridge-id 1:SSH Client Cipher: aes192-cbc,aes128-ctr
    rbridge-id 1:SSH Client Mac : hmac-sha1,hmac-sha2-256,hmac-sha2-512
    sw0(config-rbridge-id-1)#
    
  • If the SSH Server is configured using the default-vrf
    sw0# conf t
    Entering configuration mode terminal
    sw0(config)# rb 1
    sw0(config-rbridge-id-1)# ssh server mac hmac-sha1,hmac-sha2-256,hmac-sha2-512
    sw0(config-rbridge-id-1)# ssh client mac hmac-sha1,hmac-sha2-256,hmac-sha2-512
    sw0(config-rbridge-id-1)# 
    sw0(config-rbridge-id-1)# do show ssh server status
    rbridge-id 1:SSH server status:Enabled
    rbridge-id 1:SSH Server Cipher: aes192-cbc,aes128-ctr
    rbridge-id 1:SSH Server Mac : hmac-sha1,hmac-sha2-256,hmac-sha2-512
    sw0(config-rbridge-id-1)# do show ssh client status
    rbridge-id 1:SSH Client Cipher: aes192-cbc,aes128-ctr
    rbridge-id 1:SSH Client Mac : hmac-sha1,hmac-sha2-256,hmac-sha2-512
    sw0(config-rbridge-id-1)#
    sw0(config-rbridge-id-1)# ssh server use-vrf default-vrf shutdown     
    sw0(config-rbridge-id-1)# no ssh server use-vrf default-vrf shutdown  
    sw0(config-rbridge-id-1)#
    sw0(config-rbridge-id-1)# do show ssh server status
    rbridge-id 1:SSH server status:Enabled
    rbridge-id 1:SSH Server Cipher: aes192-cbc,aes128-ctr
    rbridge-id 1:SSH Server Mac : hmac-sha1,hmac-sha2-256,hmac-sha2-512
    sw0(config-rbridge-id-1)# do show ssh client status
    rbridge-id 1:SSH Client Cipher: aes192-cbc,aes128-ctr
    rbridge-id 1:SSH Client Mac : hmac-sha1,hmac-sha2-256,hmac-sha2-512
    sw0(config-rbridge-id-1)#
    

     
Additional notes
Upgrade SW to NOS 6.0.1 or later and use the added enhancement to re-configure with a stronger mac algorithms:

hmac-sha1, hmac-sha2-256, and hmac-sha2-512.

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255