How to fix Weak Ciphers and Keys on the Management Interface for SSH Access

How to fix Weak Ciphers and Keys on the Management Interface for SSH Access

98441
Created On 10/18/19 13:11 PM - Last Modified 03/16/22 13:14 PM


Objective

Customer Vulnerability scans run on the management interface of the firewall, sometimes these reports come back to show weak kex algorithms and ciphers used in SSH. 

The article provides information on how to harden the SSH connection to the management interface by disabling these weak ciphers and kex algorithms.

Note 
If the devices on which the SSH settings are being configured are part of a HA, then please follow the instructions specific to HA in the document.
Incase, the ssh access to the Passive firewall is lost after the procedure, follow the below document to recover it.

IN A HA PAIR, SECONDARY FIREWALL'S SSH CONNECTIVITY(MANAGEMENT PORT ) IS LOST AFTER DISABLE WEAK CIPHERS ON PRIMARY FIREWALL



Environment
  • Any Palo Alto Firewall.
  • Any Panorama.
  • PAN-OS 8.0 and higher.

 


Procedure
Use the following commands in the CLI to fix the issue. Before running the commands, ensure the terminal tool you are using is fully up to date. Out of date, Putty or other Terminal Emulators can cause the connections to fail due to weak Ciphers.
Important :
If the Firewall/Panorama are in High-Availability mode then make sure SSH/Console sessions to both firewalls are open at the same time.
Configure the below on Active Firewall.
> configure
# delete deviceconfig system ssh
# set deviceconfig system ssh ciphers mgmt aes256-ctr
# set deviceconfig system ssh ciphers mgmt aes256-gcm
# set deviceconfig system ssh default-hostkey mgmt key-type ECDSA 256
# set deviceconfig system ssh regenerate-hostkeys mgmt key-type ECDSA key-length 256
# set deviceconfig system ssh session-rekey mgmt interval 3600
# set deviceconfig system ssh mac mgmt hmac-sha2-256
# set deviceconfig system ssh mac mgmt hmac-sha2-512

# commit

# exit
For Standalone device run the below command on CLI 
> set ssh service-restart mgmt

For Devices in HA, make sure ssh session to both devices are open and make sure they are not timed-out.
Run the below command on Active to syn the ssh settings with the peer.
> request high-availability sync-to-remote running-config
Check on the Passive to see if the "Synchronize HA Peer" job is complete. Can check it using GUI > Tasks or command "show jobs all"
Then on the Passive CLI run the below command to restart SSH.
> set ssh service-restart mgmt

The first command clears the device config for SSH, and the rest of the commands configure the SSH parameters again. By running these commands, Sweet 32 and any attack that uses weak cipher vulnerabilities on the management plane are mitigated. The last command causes the connection to be reset. Re-login to the CLI again. 



Cipher Key Exchange Setting:
If the scanner shows deprecated ssh key exchange values for the Key exchange algorithm as shown below, Run the commands listed below.
User-added image
User-added image

For 8.1 (8.1.19 and later 8.1 versions):

Below commands to prune weak kex algorithms has been introduced in 8.1.19, note that this command has to be re-applied after a reboot.

> debug system ssh-kex-prune ciphers [ diffie-hellman-group-exchange-sha1 diffie-hellman-group1-sha1 diffie-hellman-group14-sha1 ]
  • Note spaces must be after the [ and before the ] in the command.
  • This will then confirm a response showing the new list of active keys.

 

> set ssh service-restart mgmt

NoteBecause the debug command is not a configuration command, you need to include all ciphers you want to disable in the single command, as shown above. This will also need to be done every time you want to add or remove a cipher (the complete updated list of all ciphers you want to disable in the single command).

For 9.0 and above:

Below commands can only be run on PAN-OS 9.0 and above:

> configure
# delete deviceconfig system ssh kex mgmt
# set deviceconfig system ssh kex mgmt ecdh-sha2-nistp521
# commit

# exit

 

For Standalone device run the below command on CLI , this is only required for 9.0 and above:
> set ssh service-restart mgmt
For Devices in HA (only for PAN-OS 9.0 and above), make sure ssh session to both devices are open and make sure they are not timed-out.
Run the below command on Active to syn the ssh settings with the peer.
> request high-availability sync-to-remote running-config
Check on the Passive to see if the "Synchronize HA Peer" job is complete. Can check it using GUI > Tasks or command "show jobs all"
Then on the Passive Device CLI run the below command to restart SSH.
> set ssh service-restart mgmt

This should complete all changes needed to harden the management plane for ssh connections.

Testing:

A rerun of the scan will show that these vulnerabilities have been mitigated. 
Another way to test is to use NMAP (Zenmap on Windows) and run the script; Nmap --script ssh2-enum-algos -sV -p 22 <your_firewall_ip>


Example:

user1@Linux:~$ nmap --script ssh2-enum-algos -sV -p 22 x.y.z.q  //Replace x.y.z.q with firewall management IP

Starting Nmap 7.70 ( https://nmap.org ) at 2020-03-18 15:35 PDT
Nmap scan report for 10.46.161.116
Host is up (0.0059s latency).
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 12.1 (protocol 2.0)
| ssh2-enum-algos:
|   kex_algorithms: (7)
|       ecdh-sha2-nistp256
|       ecdh-sha2-nistp384
|       ecdh-sha2-nistp521
|       diffie-hellman-group-exchange-sha256
|       diffie-hellman-group14-sha1
|       diffie-hellman-group-exchange-sha1
|       diffie-hellman-group1-sha1
|   server_host_key_algorithms: (1)
|       ecdsa-sha2-nistp256
|   encryption_algorithms: (2)
|       aes256-cbc
|       aes256-gcm@openssh.com
|   mac_algorithms: (1)
|       hmac-sha2-512
|   compression_algorithms: (2)
|       none
|_      zlib@openssh.com
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1.97 seconds
 This scan should not reveal any no weak algorithms and should display the key exchange algorithm set to a secure algorithm.


Additional Information

Disabling weak ciphers for web GUI access is not working

 

Refresh SSH Keys and Configure Key Options for Management Interface Connection

    • Located under Section: (Optional) Remove weak key exchange algorithms (which are vulnerable to attack) from SSH to the management interface.


    Actions
    • Print
    • Copy Link

      https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PN5bCAG&lang=en_US%E2%80%A9&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

    Attachments
    Choose Language