{"id":10102,"date":"2017-06-29T15:12:46","date_gmt":"2017-06-29T14:12:46","guid":{"rendered":"https:\/\/myworldofit.net\/?p=10102"},"modified":"2017-06-29T16:00:34","modified_gmt":"2017-06-29T15:00:34","slug":"mitigating-ssh-weak-mac-algorithms-supported-and-ssh-weak-encryption-algorithms-supported-on-hpe-aruba-os-switches","status":"publish","type":"post","link":"https:\/\/myworldofit.net\/?p=10102","title":{"rendered":"Mitigating SSH Weak MAC Algorithms Supported and SSH Weak Encryption Algorithms Supported on HPE Aruba-OS Switches"},"content":{"rendered":"

Having recently setup OpenVAS<\/a> (something I will likely blog about in further detail soon) I have found out that the default out of box deployment of Aruba-OS (formally ProCurve) supports a number of insecure SSH Algorithms with messages similar to the ones below logged even when running the latest firmware releases (YA.16.03.0004 on the 2530 series).<\/p>\n

SSH Weak Encryption Algorithms Supported
\nThe remote SSH server is configured to allow weak encryption algorithms.<\/p><\/blockquote>\n

and<\/p>\n

SSH Weak MAC Algorithms Supported
\nThe remote SSH server is configured to allow weak MD5 and\/or 96-bit MAC algorithms.<\/p><\/blockquote>\n

To secure the switch simply run the following commands while logged into the switch<\/p>\n

config
\nno ip ssh cipher aes128-cbc
\nno ip ssh cipher 3des-cbc
\nno ip ssh cipher aes192-cbc
\nno ip ssh cipher aes256-cbc
\nno ip ssh cipher rijndael-cbc@lysator.liu.se
\nno ip ssh cipher aes128-ctr
\nno ip ssh cipher aes192-ctr
\nno ip ssh mac hmac-md5
\nno ip ssh mac hmac-sha1-96
\nno ip ssh mac hmac-md5-96
\nwrite memory<\/p><\/blockquote>\n

\"\"<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Having recently setup OpenVAS (something I will likely blog about in further detail soon) I have found out that the default out of box deployment of Aruba-OS (formally ProCurve) supports a number of insecure SSH Algorithms with messages similar to the ones below logged even when running the latest firmware releases (YA.16.03.0004 on the 2530 series). SSH Weak Encryption Algorithms Supported… Read more<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"ngg_post_thumbnail":0,"footnotes":""},"categories":[21],"tags":[308,307,405,359,404,406,408,358,407,204,277],"series":[],"class_list":["post-10102","post","type-post","status-publish","format-standard","hentry","category-hardware","tag-308","tag-307","tag-5400r","tag-aruba","tag-aruba-os","tag-cypher","tag-encryption","tag-hpe","tag-mac","tag-procurve","tag-ssh"],"_links":{"self":[{"href":"https:\/\/myworldofit.net\/index.php?rest_route=\/wp\/v2\/posts\/10102","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/myworldofit.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/myworldofit.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/myworldofit.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/myworldofit.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=10102"}],"version-history":[{"count":2,"href":"https:\/\/myworldofit.net\/index.php?rest_route=\/wp\/v2\/posts\/10102\/revisions"}],"predecessor-version":[{"id":10105,"href":"https:\/\/myworldofit.net\/index.php?rest_route=\/wp\/v2\/posts\/10102\/revisions\/10105"}],"wp:attachment":[{"href":"https:\/\/myworldofit.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=10102"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/myworldofit.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=10102"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/myworldofit.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=10102"},{"taxonomy":"series","embeddable":true,"href":"https:\/\/myworldofit.net\/index.php?rest_route=%2Fwp%2Fv2%2Fseries&post=10102"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}