How to fix Weak Ciphers and Keys on the Management Interface for SSH Access

How to fix Weak Ciphers and Keys on the Management Interface for SSH Access

274223
Created On 10/18/19 13:11 PM - Last Modified 09/21/22 02:55 AM


Objective


When Vulnerability Scans are run against the management interface of a PAN-OS device, they may come back with weak kex (key exchange) or weak cipher findings for the SSH service.

This article provides information on how to harden the SSH service running on the management interface by disabling weak ciphers and weak kex (key exchange) algorithms.

Note 



Environment


  • Any Palo Alto Firewall.
  • Any Panorama.
  • PAN-OS 8.0, 9.0 and 9.1

For PAN-OS 10.0 and above Refer Commands to Fix Weak Ciphers not working in 10.0


Procedure


Ensure the terminal tool you are using is up to date. Out of date, PuTTY or other Terminal Emulators can cause the SSH connection to fail due to unsupported ciphers. outdated terminal emulators may not be compatible with the newer ciphers offered by PAN-OS).
Use the following CLI commands to resolve the issue:

Important :
If the Firewall/Panorama are in High-Availability mode then make sure SSH/Console sessions to both firewalls are open at the same time.

PAN-OS 8.0 and above
Configure the below on Active Firewall.
> configure
# delete deviceconfig system ssh
# set deviceconfig system ssh ciphers mgmt aes256-ctr
# set deviceconfig system ssh ciphers mgmt aes256-gcm
# set deviceconfig system ssh default-hostkey mgmt key-type ECDSA 256
# set deviceconfig system ssh regenerate-hostkeys mgmt key-type ECDSA key-length 256
# set deviceconfig system ssh session-rekey mgmt interval 3600
# set deviceconfig system ssh mac mgmt hmac-sha2-256
# set deviceconfig system ssh mac mgmt hmac-sha2-512
# commit
# exit
For Standalone device run the below command on CLI 
> set ssh service-restart mgmt

For Devices in HA, make sure ssh session to both devices are open and make sure they are not timed-out.
Run the below command on Active to sync the ssh settings with the peer.
> request high-availability sync-to-remote running-config
Check on the Passive to see if the "Synchronize HA Peer" job is complete. Can check it using GUI > Tasks or command "show jobs all"

Then on the Passive CLI run the below command to restart SSH.
> set ssh service-restart mgmt

The first command clears the device config for SSH, and the rest of the commands configure the SSH parameters again. By running these commands, Sweet32 and any attack that uses weak cipher vulnerabilities on the management plane are mitigated. The last command causes the connection to be reset. Re-login to the CLI again. 



Cipher Key Exchange Setting:
If the scanner shows deprecated ssh key exchange values for the Key exchange algorithm as shown below, Run the commands listed below.
User-added image
User-added image

For 8.1 (8.1.19 and later 8.1 versions):

Below commands to prune weak kex algorithms has been introduced in 8.1.19, note that this command has to be re-applied after a reboot.

> debug system ssh-kex-prune ciphers [ diffie-hellman-group-exchange-sha1 diffie-hellman-group1-sha1 diffie-hellman-group14-sha1 ]
  • Note spaces must be after the [ and before the ] in the command.
  • This will then confirm a response showing the new list of active keys.
> set ssh service-restart mgmt

NoteBecause the debug command is not a configuration command, you need to include all ciphers you want to disable in the single command, as shown above. This will also need to be done every time you want to add or remove a cipher (the complete updated list of all ciphers you want to disable in the single command).

For 9.0 and above:

Below commands can only be run on PAN-OS 9.0 and above:

> configure
# delete deviceconfig system ssh kex mgmt
# set deviceconfig system ssh kex mgmt ecdh-sha2-nistp521
# commit
# exit

 

For Standalone device run the below command on CLI , this is only required for 9.0 and above:
> set ssh service-restart mgmt
For Devices in HA (only for PAN-OS 9.0 and above), make sure ssh session to both devices are open and make sure they are not timed-out.
Run the below command on Active to syn the ssh settings with the peer.
> request high-availability sync-to-remote running-config
Check on the Passive to see if the "Synchronize HA Peer" job is complete. Can check it using GUI > Tasks or command "show jobs all"
Then on the Passive Device CLI run the below command to restart SSH.
> set ssh service-restart mgmt

This should complete all changes needed to harden the management plane for ssh connections.

Testing:

A rerun of the scan will show that these vulnerabilities have been mitigated. 
Another way to test is to use NMAP (Zenmap on Windows) and run the script; Nmap --script ssh2-enum-algos -sV -p 22 <your_firewall_ip>


Example:

user1@Linux:~$ nmap --script ssh2-enum-algos -sV -p 22 x.y.z.q  //Replace x.y.z.q with firewall management IP

Starting Nmap 7.70 ( https://nmap.org ) at 2020-03-18 15:35 PDT
Nmap scan report for 10.46.161.116
Host is up (0.0059s latency).
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 12.1 (protocol 2.0)
| ssh2-enum-algos:
|   kex_algorithms: (7)
|       ecdh-sha2-nistp256
|       ecdh-sha2-nistp384
|       ecdh-sha2-nistp521
|       diffie-hellman-group-exchange-sha256
|       diffie-hellman-group14-sha1
|       diffie-hellman-group-exchange-sha1
|       diffie-hellman-group1-sha1
|   server_host_key_algorithms: (1)
|       ecdsa-sha2-nistp256
|   encryption_algorithms: (2)
|       aes256-cbc
|       aes256-gcm@openssh.com
|   mac_algorithms: (1)
|       hmac-sha2-512
|   compression_algorithms: (2)
|       none
|_      zlib@openssh.com
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1.97 seconds
 This scan should not reveal any no weak algorithms and should display the key exchange algorithm set to a secure algorithm.
 


Additional Information


Disabling weak ciphers for web GUI access is not working

Refresh SSH Keys and Configure Key Options for Management Interface Connection

    • Located under Section: (Optional) Remove weak key exchange algorithms (which are vulnerable to attack) from SSH to the management interface.


    Actions
    • Print
    • Copy Link

      https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PN5bCAG&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

    Choose Language