Weak MAC algorithms are not disabled in SSH communications
Description
SSH protocol allows you to connect to a remote Linux system securely using a variety of SSH (Secure Shell) clients. MAC (Message Authentication Code) algorithm specifies the algorithms that are used to encrypt the messages shared via SSH communications. Weak MAC algorithms could be easily cracked, therefore must be disabled. Fixing this misconfiguration will remove weak MAC algorithms such as hmac-md5, hmac-md5-96, hmac-ripemd160, hmac-sha1, hmac-sha1-96, umac-64@openssh.com, umac-128@openssh.com, hmac-md5-etm@openssh.com, hmac-md5-96-etm@openssh.com, hmac-ripemd160-etm@openssh.com, hmac-sha1-etm@openssh.com, hmac-sha1-96-etm@openssh.com, umac-64-etm@openssh.com, umac-128-etm@openssh.com.
Severity
critical
Category
Linux Secure Shell
Resolution
Follow the below steps to resolve the misconfiguration.
Edit the /etc/ssh/sshd_config file and add/modify the MACs line to contain a comma
separated list of the site approved MACs.
Potential issues that may arise after applying the resolution
Altering the existing security setting may create the following impact in your network operations.
Does remediation require reboot?
No
Vulnerability Manager Plus tracks security configurations and remediate misconfigurations in your network systems from a centralized console. View a list of all the security misconfigurations detected by Vulnerability Manager Plus.