How to fix Weak Ciphers and Keys on the Management Interface for SSH Access
Customer Vulnerability scans run on the management interface of the firewall. Sometimes these reports come back to show weak algorithms.
The failure reported is mainly due to the weak Ciphers used on the firewall.
The most common case seen is weak ssh encryption ciphers on the management interface. Sometimes called Sweet 32 or CVE-2016-2183 in the Qualys scan (picture below).
The cryptographic ciphers affected are block ciphers with a block size of 64 bits (3DES, Blowfish). These are considered to be weak and unsafe to use in a secure environment.
The article provides information on how to disable these weak ciphers and use Ciphers that are not vulnerable.
- Any Palo Alto Firewall.
- Any Panorama.
- PAN-OS 8.0 and higher.
Use the following commands in the CLI to fix the issue. Before running the commands, ensure the terminal tool you are using is fully up to date. Out of date, Putty or other Terminal Emulators can cause the connections to fail due to weak Ciphers.
> configure # delete deviceconfig system ssh # set deviceconfig system ssh ciphers mgmt aes256-ctr # set deviceconfig system ssh ciphers mgmt aes256-gcm # set deviceconfig system ssh default-hostkey mgmt key-type ECDSA 256 # set deviceconfig system ssh regenerate-hostkeys mgmt key-type ECDSA key-length 256 # set deviceconfig system ssh session-rekey mgmt interval 3600 # set deviceconfig system ssh mac mgmt hmac-sha2-256 # set deviceconfig system ssh mac mgmt hmac-sha2-512 # commit # exit > set ssh service-restart mgmt
The first command clears the device config for SSH, and the rest of the commands configure the SSH parameters again. By running these commands, Sweet 32 and any attack that uses weak cipher vulnerabilities on the management plane are mitigated. The last command causes the connection to be reset. Re-login to the CLI again.
Cipher Key Exchange Setting:
If the scanner shows deprecated ssh key exchange values for the Key exchange algorithm as shown below, Run the commands listed below. Note that these commands can only be run on PAN-OS 9.0 and above.
> configure # delete deviceconfig system ssh kex mgmt # set deviceconfig system ssh kex mgmt ecdh-sha2-nistp521 # commit # exit > set ssh service-restart mgmt
This should complete all changes needed to harden the management plane for ssh connections.
A rerun of the scan will show that these vulnerabilities have been mitigated.
Another way to test is to use NMAP (Zenmap on Windows) and run the script; Nmap --script ssh2-enum-algos -sV -p 22 <your_firewall_ip>
user1@Linux:~$ nmap --script ssh2-enum-algos -sV -p 22 x.y.z.q //Replace x.y.z.q with firewall management IP Starting Nmap 7.70 ( https://nmap.org ) at 2020-03-18 15:35 PDT Nmap scan report for 10.46.161.116 Host is up (0.0059s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 12.1 (protocol 2.0) | ssh2-enum-algos: | kex_algorithms: (7) | ecdh-sha2-nistp256 | ecdh-sha2-nistp384 | ecdh-sha2-nistp521 | diffie-hellman-group-exchange-sha256 | diffie-hellman-group14-sha1 | diffie-hellman-group-exchange-sha1 | diffie-hellman-group1-sha1 | server_host_key_algorithms: (1) | ecdsa-sha2-nistp256 | encryption_algorithms: (2) | aes256-cbc | email@example.com | mac_algorithms: (1) | hmac-sha2-512 | compression_algorithms: (2) | none |_ firstname.lastname@example.org Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 1.97 seconds
This scan should not reveal any no weak algorithms and should display the key exchange algorithm set to a secure algorithm.
Disabling weak ciphers for web GUI access is not working