How to fix Weak Ciphers and Keys on the Management Interface for SSH Access

How to fix Weak Ciphers and Keys on the Management Interface for SSH Access

41076
Created On 10/18/19 13:11 PM - Last Modified 07/13/21 15:01 PM


Objective

Customer Vulnerability scans run on the management interface of the firewall. Sometimes these reports come back to show weak algorithms.
The failure reported is mainly due to the weak Ciphers used on the firewall.
The most common case seen is weak ssh encryption ciphers on the management interface. Sometimes called Sweet 32 or CVE-2016-2183 in the Qualys scan (picture below).

The cryptographic ciphers affected are block ciphers with a block size of 64 bits (3DES, Blowfish). These are considered to be weak and unsafe to use in a secure environment.

The article provides information on how to disable these weak ciphers and use Ciphers that are not vulnerable.


User-added image



 

 



Environment
  • Any Palo Alto Firewall.
  • Any Panorama.
  • PAN-OS 8.0 and higher.

 


Procedure
Use the following commands in the CLI to fix the issue. Before running the commands, ensure the terminal tool you are using is fully up to date. Out of date, Putty or other Terminal Emulators can cause the connections to fail due to weak Ciphers.
> configure
# delete deviceconfig system ssh
# set deviceconfig system ssh ciphers mgmt aes256-ctr
# set deviceconfig system ssh ciphers mgmt aes256-gcm
# set deviceconfig system ssh default-hostkey mgmt key-type ECDSA 256
# set deviceconfig system ssh regenerate-hostkeys mgmt key-type ECDSA key-length 256
# set deviceconfig system ssh session-rekey mgmt interval 3600
# set deviceconfig system ssh mac mgmt hmac-sha2-256
# set deviceconfig system ssh mac mgmt hmac-sha2-512

# commit

# exit
> set ssh service-restart mgmt

The first command clears the device config for SSH, and the rest of the commands configure the SSH parameters again. By running these commands, Sweet 32 and any attack that uses weak cipher vulnerabilities on the management plane are mitigated. The last command causes the connection to be reset. Re-login to the CLI again. 



Cipher Key Exchange Setting:
If the scanner shows deprecated ssh key exchange values for the Key exchange algorithm as shown below, Run the commands listed below. Note that these commands can only be run on PAN-OS 9.0 and above.

User-added image
User-added image

 

> configure
# delete deviceconfig system ssh kex mgmt
# set deviceconfig system ssh kex mgmt ecdh-sha2-nistp521
# commit

# exit
> set ssh service-restart mgmt
 

This should complete all changes needed to harden the management plane for ssh connections.

Testing:

A rerun of the scan will show that these vulnerabilities have been mitigated. 
Another way to test is to use NMAP (Zenmap on Windows) and run the script; Nmap --script ssh2-enum-algos -sV -p 22 <your_firewall_ip>


Example:

user1@Linux:~$ nmap --script ssh2-enum-algos -sV -p 22 x.y.z.q  //Replace x.y.z.q with firewall management IP

Starting Nmap 7.70 ( https://nmap.org ) at 2020-03-18 15:35 PDT
Nmap scan report for 10.46.161.116
Host is up (0.0059s latency).
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 12.1 (protocol 2.0)
| ssh2-enum-algos:
|   kex_algorithms: (7)
|       ecdh-sha2-nistp256
|       ecdh-sha2-nistp384
|       ecdh-sha2-nistp521
|       diffie-hellman-group-exchange-sha256
|       diffie-hellman-group14-sha1
|       diffie-hellman-group-exchange-sha1
|       diffie-hellman-group1-sha1
|   server_host_key_algorithms: (1)
|       ecdsa-sha2-nistp256
|   encryption_algorithms: (2)
|       aes256-cbc
|       aes256-gcm@openssh.com
|   mac_algorithms: (1)
|       hmac-sha2-512
|   compression_algorithms: (2)
|       none
|_      zlib@openssh.com
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1.97 seconds
 This scan should not reveal any no weak algorithms and should display the key exchange algorithm set to a secure algorithm.


Additional Information
Disabling weak ciphers for web GUI access is not working

Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PN5bCAG&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language