CentOS - Oct 2016 - SSH Weak Ciphers

Hi,

In a recent security review some systems I manage were flagged due to
supporting "weak" ciphers, specifically the ones listed below.  So
first
question is are people generally modifying the list of ciphers supported by
the ssh client and sshd?

On CentOS 6 currently it looks like if I remove all the ciphers they are
concerned about then I am left with Ciphers
aes128-ctr,aes192-ctr,aes256-ctr for both /etc/ssh/sshd_config and
/etc/ssh/ssh_config.  Is just using these three ciphers like to cause me
any problems?  Could having so few ciphers be creating a security concern
itself?

Thanks



The following weak client-to-server encryption algorithms are supported by
the remote service:
rijndael-cbc at lysator.liu.se
arcfour256
arcfour128
aes256-cbc
3des-cbc
aes192-cbc
blowfish-cbc
cast128-cbc
arcfour
aes128-cbc

The following weak server-to-client encryption algorithms are supported by
the remote service:
rijndael-cbc at lysator.liu.se
arcfour256
arcfour128
aes256-cbc
3des-cbc
aes192-cbc
blowfish-cbc
cast128-cbc
arcfour
aes128-cbc

On CentOS 7 I put the following at the end of ssh

KexAlgorithms 
curve25519-sha256 at libssh.org,diffie-hellman-group-exchange-sha256

I believe that prevents the CBC ciphers from being used.

CentOS 6 I *think* does not support curve25519 so that one may not be an 
option for CentOS 6. That really should be patched in CentOS 5 and 6.

For the DH key exchange, I generate custom 2048 and 4096 DH keys

pushd /etc/ssh
ssh-keygen -G moduli-2048.candidates -b 2048
ssh-keygen -T moduli-2048 -f moduli-2048.candidates
ssh-keygen -G moduli-4096.candidates -b 4096
ssh-keygen -T moduli-4096 -f moduli-4096.candidates

cp moduli moduli-backup
cat moduli-2048 moduli-4096 > moduli

systemctl restart sshd.service


On 10/18/2016 03:28 PM, Clint Dilks wrote:
> Hi,
>
> In a recent security review some systems I manage were flagged due to
> supporting "weak" ciphers, specifically the ones listed below. 
So first
> question is are people generally modifying the list of ciphers supported by
> the ssh client and sshd?
>
> On CentOS 6 currently it looks like if I remove all the ciphers they are
> concerned about then I am left with Ciphers
> aes128-ctr,aes192-ctr,aes256-ctr for both /etc/ssh/sshd_config and
> /etc/ssh/ssh_config.  Is just using these three ciphers like to cause me
> any problems?  Could having so few ciphers be creating a security concern
> itself?
>
> Thanks
>
>
>
> The following weak client-to-server encryption algorithms are supported by
> the remote service:
> rijndael-cbc at lysator.liu.se
> arcfour256
> arcfour128
> aes256-cbc
> 3des-cbc
> aes192-cbc
> blowfish-cbc
> cast128-cbc
> arcfour
> aes128-cbc
>
> The following weak server-to-client encryption algorithms are supported by
> the remote service:
> rijndael-cbc at lysator.liu.se
> arcfour256
> arcfour128
> aes256-cbc
> 3des-cbc
> aes192-cbc
> blowfish-cbc
> cast128-cbc
> arcfour
> aes128-cbc
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos
>

On 10/18/2016 03:28 PM, Clint Dilks wrote:
> So first
> question is are people generally modifying the list of ciphers supported by
> the ssh client and sshd?
I suspect that "generally" people are not.  I do, because I can, and
so
that I can offer at least some advice to people who aim to do so.
> On CentOS 6 currently it looks like if I remove all the ciphers they are
> concerned about then I am left with Ciphers
> aes128-ctr,aes192-ctr,aes256-ctr for both /etc/ssh/sshd_config and
> /etc/ssh/ssh_config.
If you're going to go down this road, you should probably look at key 
exchanges and HMACs as well.  On CentOS 7, I use:

KexAlgorithms 
curve25519-sha256 at
libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
Ciphers 
chacha20-poly1305 at openssh.com,aes256-gcm at openssh.com,aes128-gcm at
openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs 
hmac-sha2-512-etm at openssh.com,hmac-sha2-256-etm at openssh.com,umac-128-etm
at openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128 at openssh.com

On CentOS 6, I believe you'd have to drop all of the @openssh.com items.
> Is just using these three ciphers like to cause me
> any problems?  Could having so few ciphers be creating a security concern
> itself?
I don't think it'd be a security concern, just compatibility issues.  So
far, I've had minimal problems with restricted algorithms.  I do have to 
make an exception for a slightly old WD MyBook World edition.

Am 19.10.2016 um 00:58 schrieb Gordon Messmer <gordon.messmer at
gmail.com>:
> On 10/18/2016 03:28 PM, Clint Dilks wrote:
>> So first
>> question is are people generally modifying the list of ciphers
supported by
>> the ssh client and sshd?
> 
> I suspect that "generally" people are not.  I do, because I can,
and so that I can offer at least some advice to people who aim to do so.
> 
>> On CentOS 6 currently it looks like if I remove all the ciphers they
are
>> concerned about then I am left with Ciphers
>> aes128-ctr,aes192-ctr,aes256-ctr for both /etc/ssh/sshd_config and
>> /etc/ssh/ssh_config.
> 
> If you're going to go down this road, you should probably look at key
exchanges and HMACs as well.  On CentOS 7, I use:
> 
> KexAlgorithms curve25519-sha256 at
libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
> Ciphers chacha20-poly1305 at openssh.com,aes256-gcm at
openssh.com,aes128-gcm at openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
> MACs hmac-sha2-512-etm at openssh.com,hmac-sha2-256-etm at
openssh.com,umac-128-etm at openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128 at
openssh.com
> 
> On CentOS 6, I believe you'd have to drop all of the @openssh.com
items.

Is there any command to find the supported list of KeyAlgos, MACs and Ciphers
for
the particular system (e.g. EL{5,6,7})? Similar to  $ openssl ciphers -v ...


>> Is just using these three ciphers like to cause me
>> any problems?  Could having so few ciphers be creating a security
concern
>> itself?
> 
> I don't think it'd be a security concern, just compatibility
issues.  So far, I've had minimal problems with restricted algorithms.  I do
have to make an exception for a slightly old WD MyBook World edition.
--
LF

Hello Clint,

On Wed, 2016-10-19 at 11:28 +1300, Clint Dilks wrote:
> The following weak client-to-server encryption algorithms are supported by
> the remote service:
> rijndael-cbc at lysator.liu.se
> arcfour256
> arcfour128
> aes256-cbc
> 3des-cbc
> aes192-cbc
> blowfish-cbc
> cast128-cbc
> arcfour
> aes128-cbc
Where did you get the idea that AES (~ Rijndael) is a weak cipher?

RC4 (arcfour) is indeed considered insecure and Blowfish uses a block
size that is too small for comfort. CAST-128 might still be quite usable
and even though triple DES only provides about 80 bits of security it is
still not considered broken.

Regards,
Leonard.

-- 
mount -t life -o ro /dev/dna /genetic/research

Am 19.10.2016 um 17:30 schrieb Leonard den Ottolander <leonard at
den.ottolander.nl>:
> Hello Clint,
> 
> On Wed, 2016-10-19 at 11:28 +1300, Clint Dilks wrote:
>> The following weak client-to-server encryption algorithms are supported
by
>> the remote service:
>> rijndael-cbc at lysator.liu.se
>> arcfour256
>> arcfour128
>> aes256-cbc
>> 3des-cbc
>> aes192-cbc
>> blowfish-cbc
>> cast128-cbc
>> arcfour
>> aes128-cbc
> 
> Where did you get the idea that AES (~ Rijndael) is a weak cipher?
> 
> RC4 (arcfour) is indeed considered insecure and Blowfish uses a block
> size that is too small for comfort. CAST-128 might still be quite usable
> and even though triple DES only provides about 80 bits of security it is
> still not considered broken.

Isn't there a collision attack for DES? 

--
LF

On 10/19/2016 08:30 AM, Leonard den Ottolander wrote:
> Where did you get the idea that AES (~ Rijndael) is a weak cipher?

It's not the cipher, but the mode.  CBC has several known weaknesses in 
TLS, and is frequently regarded as potentially insecure as a result.

https://www.openssl.org/~bodo/tls-cbc.txt

On Thu, Oct 20, 2016 at 4:30 AM, Leonard den Ottolander <
leonard at den.ottolander.nl> wrote:
> Hello Clint,
>
> On Wed, 2016-10-19 at 11:28 +1300, Clint Dilks wrote:
> > The following weak client-to-server encryption algorithms are
supported
> by
> > the remote service:
> > rijndael-cbc at lysator.liu.se
> > arcfour256
> > arcfour128
> > aes256-cbc
> > 3des-cbc
> > aes192-cbc
> > blowfish-cbc
> > cast128-cbc
> > arcfour
> > aes128-cbc
>
> Where did you get the idea that AES (~ Rijndael) is a weak cipher?
>
> RC4 (arcfour) is indeed considered insecure and Blowfish uses a block
> size that is too small for comfort. CAST-128 might still be quite usable
> and even though triple DES only provides about 80 bits of security it is
> still not considered broken.
>
> Regards,
> Leonard.
>

Morning Leonard,

I believe the vulnerability scan was done using OpenVAS
http://www.openvas.org/

Medium (CVSS: 4.3)
NVT: SSH Weak Encryption Algorithms Supported
Summary
The remote SSH server is configured to allow weak encryption algorithms.
Vulnerability Detection Result
The following weak client-to-server encryption algorithms are supported by
the remote service:
rijndael-cbc at lysator.liu.se
arcfour256
arcfour128
aes256-cbc
3des-cbc
aes192-cbc
blowfish-cbc
cast128-cbc
arcfour
aes128-cbc
The following weak server-to-client encryption algorithms are supported by
the remote service:
rijndael-cbc at lysator.liu.se
arcfour256
arcfour128
aes256-cbc
3des-cbc
aes192-cbc
blowfish-cbc
cast128-cbc
arcfour
aes128-cbc

Solution
Disable the weak encryption algorithms.
Vulnerability Insight
The ?arcfour? cipher is the Arcfour stream cipher with 128-bit keys. The
Arcfour cipher is believed
to be compatible with the RC4 cipher [SCHNEIER]. Arcfour (and RC4) has
problems with weak
keys, and should not be used anymore.
The ?none? algorithm specifies that no encryption is to be done. Note that
this method provides
no confidentiality protection, and it is NOT RECOMMENDED to use it.
A vulnerability exists in SSH messages that employ CBC mode that may allow
an attacker to
recover plaintext from a block of ciphertext.
Vulnerability Detection Method
Check if remote ssh service supports Arcfour, none or CBC ciphers.
Details:SSH Weak Encryption Algorithms Supported
OID:1.3.6.1.4.1.25623.1.0.105611
Version used: $Revision: 3160 $
References
Other:
URL:https://tools.ietf.org/html/rfc4253#section-6.3
URL:https://www.kb.cert.org/vuls/id/958563

Thanks


>
> --
> mount -t life -o ro /dev/dna /genetic/research
>
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos
>