ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Hardening RHEL (and RHEL Based OSs)

    Scheduled Pinned Locked Moved IT Discussion
    sshhardeninglinuxrhel
    1 Posts 1 Posters 209 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • DustinB3403D
      DustinB3403
      last edited by

      For obvious reasons RHEL is annoying, like needing to sign into their paywall to find this information. If you're ever needing to harden a RHEL based OS, specifically to disable SHA1 and CBC you can use the below and reboot the server.

      These vulnerabilities are outlined below and the remedy is listed at the bottom. Mind any typo's I've copied the description out of a PDF and there may be some copy/paste artifacts or typos.

      Medium (CVSS: 5.3)
       NVT: Weak Key Exchange (KEX) Algorithm(s) Supported (SSH)
       Product detection result
       cpe:/a:ietf:secure_shell_protocol
       Detected by SSH Protocol Algorithms Supported (OID: 1.3.6.1.4.1.25623.1.0.105565
       →)
       Summary
       The remote SSH server is con gured to allow / support weak key exchange (KEX) algorithm(s).
       Quality of Detection (QoD): 80%
       Vulnerability Detection Result
       The remote SSH server supports the following weak KEX algorithm(s):
       KEX algorithm
       | Reason-----------------------------------------------
      diffie-hellman-group-exchange-sha1 | Using SHA-1
       Impact
       An attacker can quickly break individual connections.
       Solution:
       Solution type: Mitigation
       Disable the reported weak KEX algorithm(s)- 1024-bit MODP group / prime KEX algorithms:
       Alternatively use elliptic-curve Di e-Hellmann in general, e.g. Curve 25519.
       Vulnerability Insight- 1024-bit MODP group / prime KEX algorithms:
       Millions of HTTPS, SSH, and VPN servers all use the same prime numbers for Diffie-Hellman
       key exchange. Practitioners believed this was safe as long as new key exchange messages were
       generated for every connection. However, the first step in the number field sieve-the most efficient
       algorithm for breaking a Diffie-Hellman connection-is dependent only on this prime.
       A nation-state can break a 1024-bit prime.
      
       Vulnerability Detection Method
      
       Checks the supported KEX algorithms of the remote SSH server.
       Currently weak KEX algorithms are defined as the following:- non-elliptic-curve Di e-Hellmann (DH) KEX algorithms with 1024-bit MODP group / prime- ephemerally generated key exchange groups uses SHA-1- using RSA 1024-bit modulus key
       
       Details: Weak Key Exchange (KEX) Algorithm(s) Supported (SSH)
       OID:1.3.6.1.4.1.25623.1.0.150713
       Version used: 2024-06-14T05:05:48Z
       Product Detection Result
       Product: cpe:/a:ietf:secure_shell_protocol
       Method: SSH Protocol Algorithms Supported
       OID: 1.3.6.1.4.1.25623.1.0.105565)
       References
       url: https://weakdh.org/sysadmin.html
       url: https://www.rfc-editor.org/rfc/rfc9142
       url: https://www.rfc-editor.org/rfc/rfc9142#name-summary-guidance-for-implem
       url: https://www.rfc-editor.org/rfc/rfc6194
       url: https://www.rfc-editor.org/rfc/rfc4253#section-6.5
      

      And CBC

      Medium (CVSS: 4.3)
       NVT: Weak Encryption Algorithm(s) Supported (SSH)
       Product detection result
       cpe:/a:ietf:secure_shell_protocol
       Detected by SSH Protocol Algorithms Supported (OID: 1.3.6.1.4.1.25623.1.0.105565
       →)
       Summary
       The remote SSH server is con gured to allow / support weak encryption algorithm(s).
       Quality of Detection (QoD): 80%
       Vulnerability Detection Result
       The remote SSH server supports the following weak client-to-server encryption al
       →gorithm(s):
       aes128-cbc
       aes256-cbc
       The remote SSH server supports the following weak server-to-client encryption al
       →gorithm(s):
       aes128-cbc
       aes256-cbc
       Solution:
       Solution type: Mitigation
       Disable the reported weak encryption algorithm(s).
       . . . continues on next page ...
      2 RESULTS PER HOST
       6
       . . . continued from previous page ...
       Vulnerability Insight- The 'arcfour' cipher is the Arcfour stream cipher with 128-bit keys. The Arcfour cipher is
       believed to be compatible with the RC4 cipher [SCHNEIER]. Arcfour (and RC4) has problems
       with weak keys, and should not be used anymore.- The 'none' algorithm specifies that no encryption is to be done. Note that this method provides
       no confidentiality protection, and it is NOT RECOMMENDED to use it.- A vulnerability exists in SSH messages that employ CBC mode that may allow an attacker to
       recover plaintext from a block of ciphertext.
       Vulnerability Detection Method
       Checks the supported encryption algorithms (client-to-server and server-to-client) of the remote
       SSH server.
       Currently weak encryption algorithms are de ned as the following:- Arcfour (RC4) cipher based algorithms- 'none' algorithm- CBC mode cipher based algorithms
       Details: Weak Encryption Algorithm(s) Supported (SSH)
       OID:1.3.6.1.4.1.25623.1.0.105611
       Version used: 2024-06-14T05:05:48Z
       Product Detection Result
       Product: cpe:/a:ietf:secure_shell_protocol
       Method: SSH Protocol Algorithms Supported
       OID: 1.3.6.1.4.1.25623.1.0.105565)
       References
       url: https://www.rfc-editor.org/rfc/rfc8758
       url: https://www.kb.cert.org/vuls/id/958563
       url: https://www.rfc-editor.org/rfc/rfc4253#section-6.3
      

      Simply running sudo update-crypto-policies --set DEFAULT:NO-SHA1:NO-CBC and rebooting the system in question removes these vulnerabilities.

      1 Reply Last reply Reply Quote 1
      • 1 / 1
      • First post
        Last post