How to fix Weak Ciphers and Keys on the Management Interface for SSH Access
Objective
When Vulnerability Scans are run against the management interface of a PAN-OS device, they may come back with weak kex (key exchange) or weak cipher findings for the SSH service.
This article provides information on how to harden the SSH service running on the management interface by disabling weak ciphers and weak kex (key exchange) algorithms.
Note
- If the device on which the SSH settings are being modified is part of a High-Availability (HA) configuration, Follow the instructions specific to HA in this article.
- If SSH connectivity to a Passive firewall is lost after following this procedure, please refer to the recovery steps described in the following document:
- In a HA Pair Secondary Firewalls SSH connectivity(Management Port) is lost after disable of Weak Ciphers on Primary Firewall
- For PAN-OS 10.0 and above Refer Commands to Fix Weak Ciphers not working in 10.0
Environment
- Any Palo Alto Firewall.
- Any Panorama.
- PAN-OS 8.0, 9.0 and 9.1
For PAN-OS 10.0 and above Refer Commands to Fix Weak Ciphers not working in 10.0
Procedure
Ensure the terminal tool you are using is up to date. Out of date, PuTTY or other Terminal Emulators can cause the SSH connection to fail due to unsupported ciphers. outdated terminal emulators may not be compatible with the newer ciphers offered by PAN-OS).
- For PAN-OS 8,0, Refer to #SSH80
- For PAN-OS 8.1, Refer to #SSH81
- For PAN-OS 9.0 and above, Refer to #SSH9
- For PAN-OS 10.0 and above Refer Commands to Fix Weak Ciphers not working in 10.0
Use the following CLI commands to resolve the issue:
Important :
If the Firewall/Panorama are in High-Availability mode then make sure SSH/Console sessions to both firewalls are open at the same time.
PAN-OS 8.0 and above
Configure the below on Active Firewall.
> configure
# delete deviceconfig system ssh
# set deviceconfig system ssh ciphers mgmt aes256-ctr
# set deviceconfig system ssh ciphers mgmt aes256-gcm
# set deviceconfig system ssh default-hostkey mgmt key-type ECDSA 256
# set deviceconfig system ssh regenerate-hostkeys mgmt key-type ECDSA key-length 256
# set deviceconfig system ssh session-rekey mgmt interval 3600
# set deviceconfig system ssh mac mgmt hmac-sha2-256
# set deviceconfig system ssh mac mgmt hmac-sha2-512
# commit
# exit
For Standalone device run the below command on CLI
> set ssh service-restart mgmt
For Devices in HA, make sure ssh session to both devices are open and make sure they are not timed-out.
Run the below command on Active to sync the ssh settings with the peer.
> request high-availability sync-to-remote running-config
Check on the Passive to see if the "Synchronize HA Peer" job is complete. Can check it using GUI > Tasks or command "show jobs all"Then on the Passive CLI run the below command to restart SSH.
> set ssh service-restart mgmt
The first command clears the device config for SSH, and the rest of the commands configure the SSH parameters again. By running these commands, Sweet32 and any attack that uses weak cipher vulnerabilities on the management plane are mitigated. The last command causes the connection to be reset. Re-login to the CLI again.
Cipher Key Exchange Setting:
If the scanner shows deprecated ssh key exchange values for the Key exchange algorithm as shown below, Run the commands listed below.
For 8.1 (8.1.19 and later 8.1 versions):
Below commands to prune weak kex algorithms has been introduced in 8.1.19, note that this command has to be re-applied after a reboot.
> debug system ssh-kex-prune ciphers [ diffie-hellman-group-exchange-sha1 diffie-hellman-group1-sha1 diffie-hellman-group14-sha1 ]
- Note spaces must be after the [ and before the ] in the command.
- This will then confirm a response showing the new list of active keys.
> set ssh service-restart mgmt
Note: Because the debug command is not a configuration command, you need to include all ciphers you want to disable in the single command, as shown above. This will also need to be done every time you want to add or remove a cipher (the complete updated list of all ciphers you want to disable in the single command).
For 9.0 and above:
Below commands can only be run on PAN-OS 9.0 and above:
> configure
# delete deviceconfig system ssh kex mgmt
# set deviceconfig system ssh kex mgmt ecdh-sha2-nistp521
# commit
# exit
For Standalone device run the below command on CLI , this is only required for 9.0 and above:
> set ssh service-restart mgmt
For Devices in HA (only for PAN-OS 9.0 and above), make sure ssh session to both devices are open and make sure they are not timed-out.Run the below command on Active to syn the ssh settings with the peer.
> request high-availability sync-to-remote running-config
Check on the Passive to see if the "Synchronize HA Peer" job is complete. Can check it using GUI > Tasks or command "show jobs all"Then on the Passive Device CLI run the below command to restart SSH.
> set ssh service-restart mgmt
This should complete all changes needed to harden the management plane for ssh connections.
Testing:
A rerun of the scan will show that these vulnerabilities have been mitigated.
Another way to test is to use NMAP (Zenmap on Windows) and run the script; Nmap --script ssh2-enum-algos -sV -p 22 <your_firewall_ip>
Example:
user1@Linux:~$ nmap --script ssh2-enum-algos -sV -p 22 x.y.z.q //Replace x.y.z.q with firewall management IP
Starting Nmap 7.70 ( https://nmap.org ) at 2020-03-18 15:35 PDT
Nmap scan report for 10.46.161.116
Host is up (0.0059s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 12.1 (protocol 2.0)
| ssh2-enum-algos:
| kex_algorithms: (7)
| ecdh-sha2-nistp256
| ecdh-sha2-nistp384
| ecdh-sha2-nistp521
| diffie-hellman-group-exchange-sha256
| diffie-hellman-group14-sha1
| diffie-hellman-group-exchange-sha1
| diffie-hellman-group1-sha1
| server_host_key_algorithms: (1)
| ecdsa-sha2-nistp256
| encryption_algorithms: (2)
| aes256-cbc
| aes256-gcm@openssh.com
| mac_algorithms: (1)
| hmac-sha2-512
| compression_algorithms: (2)
| none
|_ zlib@openssh.com
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1.97 seconds
This scan should not reveal any no weak algorithms and should display the key exchange algorithm set to a secure algorithm.
Additional Information
Disabling weak ciphers for web GUI access is not working
Refresh SSH Keys and Configure Key Options for Management Interface Connection
- Located under Section: (Optional) Remove weak key exchange algorithms (which are vulnerable to attack) from SSH to the management interface.