AIX

 View Only
  • 1.  vulnerability SSH with Weak Encryption Algorithm in AIX 7.1

    Posted Thu March 09, 2023 05:22 AM

    Hi Hello,

    kindly need your advice, it is about vulnerability "SSH with Weak Encryption Algorithm" in my AIX 7.1, our pentester recommended that  deactivate CBC mode cipher, 3DES encryption, and RC4 mode cipher. And  activate CTR or GCM mode cipher encryption.  
    i don't have idea how to do.

    Thank You



    ------------------------------
    ~Ary Syarifudin
    ------------------------------


  • 2.  RE: vulnerability SSH with Weak Encryption Algorithm in AIX 7.1

    Posted Thu March 09, 2023 09:02 AM

    You're going to need to specify a line in /etc/sshd_config for ciphers.

    Something like:

    Ciphers aes128-ctr,aes192-ctr,aes256-ctr

    Then just refresh sshd to apply the changes.  You can test your results externally from the server with something like NMAP.



    ------------------------------
    Anthony Cascianelli
    ------------------------------



  • 3.  RE: vulnerability SSH with Weak Encryption Algorithm in AIX 7.1

    Posted Fri March 10, 2023 05:38 AM

    .



    ------------------------------
    Ary Syarifudin
    ------------------------------



  • 4.  RE: vulnerability SSH with Weak Encryption Algorithm in AIX 7.1

    Posted Mon March 13, 2023 05:57 PM

    You need to edit /etc/ssh/sshd_config fille.

     

    # Disable CBC mode ciphers and weak MAC algorithms (MD5 and -96)

    Ciphers

     

    Stop and restart ssh.






  • 5.  RE: vulnerability SSH with Weak Encryption Algorithm in AIX 7.1

    Posted Wed March 15, 2023 04:04 AM
    Edited by Ary Syarifudin Wed March 15, 2023 04:06 AM

    i found it on  /etc/ssh/ssh_config , are those lines above that you mentioned before?



    ------------------------------
    Ary Syarifudin
    ------------------------------



  • 6.  RE: vulnerability SSH with Weak Encryption Algorithm in AIX 7.1

    Posted Thu March 16, 2023 09:30 AM

    Yes,

     

    You have to edit them. Or

     

    OpenSSL

     

        VRMF: 1.1.1.1200 (1.1.1l with all ciphers support)

            openssl-1.1.1.1200.tar.Z (41335049)

        VRMF: 1.1.2.1200 (1.1.1l with no-weak ciphers support)

            openssl-1.1.2.1200.tar.Z (41228053)

     

    OpenSSH

     

        VRMF: 8.1.102.2105

            OpenSSH_8.1.102.2105.tar.Z (12605103)

     

    https://www.ibm.com/support/pages/downloading-and-installing-or-upgrading-openssl-and-openssh






  • 7.  RE: vulnerability SSH with Weak Encryption Algorithm in AIX 7.1

    Posted Thu March 16, 2023 11:03 PM

    it was already uncommented, should i edit  those lines ?

    i had done test to update with the latest OpenSSL and OpenSSH and the result server unable to remote via SSH.

    it's recommended that i should update TL5 SP10 for AIX 7.1 first



    ------------------------------
    Ary Syarifudin
    ------------------------------



  • 8.  RE: vulnerability SSH with Weak Encryption Algorithm in AIX 7.1

    Posted Fri March 17, 2023 10:17 AM

    Do lssrc -s ssh or lssrc -s sshd

     

    Then if not active

     

    Startsrc -s ssh or startsrc -s sshd