SSH insecure HMAC algorithms enabled and SSH CBC mode ciphers enabled

security vulnerabilities come up against Authentication Manager 8.x

Article Content

Article Number 000037189

Applies To RSA Product Set : SecurID

RSA Product/Service Type : Authentication Manager
RSA Version/Condition: 8.x

Alert Impact When running a vulnerability scan against RSA Authentication Manager, the following vulnerabilities come up:
Explanation
SSH Insecure HMAC Algorithms Enabled
SSH CBC Mode Ciphers Enabled

Resolution SSH doesn't need to be enabled for any of Authentication Manager operations. It is only used for troubleshooting and can safely be
disabled.

To disable SSH access to Authentication Manager:

1. Log into RSA Operations Console.

2. Select Administration > Operating System Access.
3. Under SSH Settings, uncheck all interfaces showing under Enable SSH.
4. Click Save.

Notes If SSH access needs to be enabled, try the following steps to disable the insecure ciphers and HMACs:

1. SSH into Authentication Manager using your rsaadmin credentials.

Note that during Quick Setup another user name may have been selected. Use that user name to login.

1. Change to root using the command sudo su - and enter the same password from above when prompted.

sudo su -
password for rsaadmin: <enter operating system password>

1. Run the following command to view the enabled ciphers and HMACs:

sshd -T | grep -E 'cipher|mac'

The output will be something like this:

 ciphers 3des-cbc,blowfish-cbc,cast128-cbc,aes128-cbc,aes192-cbc,aes256-cbc,[email protected],aes128-ctr,aes192-ctr,aes256-c
[email protected],[email protected],[email protected],[email protected],[email protected]

1. Copy the output into a text file and delete any CBC ciphers and any 96-bit or MD5 HMAC algorithms.
2. The list after removing the insecure algorithms will be something like this:

ciphers aes128-ctr,aes192-ctr,aes256-ctr,[email protected] macs

[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512

1. Take a backup of the sshd_config file before making any changes:

cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak

1. Open the sshd_config file:

vim /etc/ssh/sshd_config

1. Press i to enter INSERT mode.

2. Comment out any ciphers or MACs lists in the file by adding a # in the beginning of the line:

# Ciphers and keying

#RekeyLimit default none
#Ciphers 3des-cbc,blowfish-cbc,cast128-cbc,aes128-cbc,aes192-cbc,aes256-cbc,[email protected],aes128-ctr,aes192-ctr,aes256-

1. Add the lists of filtered ciphers and HMACs just below this section:

# Ciphers and keying

#RekeyLimit default none
#Ciphers 3des-cbc,blowfish-cbc,cast128-cbc,aes128-cbc,aes192-cbc,aes256-cbc,[email protected],aes128-ctr,aes192-ctr,ae

ciphers aes128-ctr,aes192-ctr,aes256-ctr,[email protected]

macs [email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hma

1. Press ESC to exit INSERT mode.

2. Enter :wq! to save and exit.
3. Restart the SSH service for changes to be applied:

service sshd restart

1. Run the following command to make sure that the changes were applied successfully:

sshd -T | grep -E 'cipher|mac'

The output shouldn't have any CBC ciphers, 96-bit HMACs or MD5 HMACs

ciphers aes128-ctr,aes192-ctr,aes256-ctr,[email protected]
macs [email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha

Disclaimer

Read and use the information in this RSA Security Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any
questions regarding this product alert, contact RSA Software Technical Support at 1- 800 995 5095. RSA Security LLC and its affiliates, including without limitation, its
ultimate parent company, Dell EMC, distributes RSA Security Advisories in order to bring to the attention of users of the affected RSA products, important security
information. RSA recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set
forth herein is provided 'as is' without warranty of any kind. RSA disclaims all warranties, either express or implied, including the warranties of merchantability, fitness
for a particular purpose, title and non-infringement. In no event, shall RSA, its affiliates or suppliers, be liable for any damages whatsoever including direct, indirect,
incidental, consequential, loss of business profits or special damages, even if RSA, its affiliates or suppliers have been advised of the possibility of such damages. Some
jurisdictions do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply.