Foundstone Security Scanner reports a "potentially weak key exchange algorithm" for Sun Secure Shell (ssh)

(Doc ID 1223914.1)

Last updated on AUGUST 17, 2016

Applies to:

Solaris SPARC Operating System - Version 9 GA to 11.1 [Release 9.0 to 11.0]
Information in this document applies to any platform.

Symptoms

Foundstone Security Scanner reports a "potentially weak key exchange algorithm".

The scanner report reads as follows:

Description:

The target Secure Shell 2 (SSH2) server supports a potentially weak key
exchange algorithm.

Observation:

The Secure Shell 2 (SSH2) protocol is a presentation layer protocol used to
provide secure client-server communication. The SSH2 protocol specification
requires that a SSH2 server support the diffie-hellman-group1-sha1 key exchange
algorithm. This key exchange algorithm is considered strong, but faces a
potential weakness in that the same prime number is used for all key exchanges.
An alternative key exchange algorithm, diffie-hellman-exchange-group-sha1,
provides enhanced security by allowing for the prime number to be specified
during key exchange.

Recommendation:

The server should be configured not to support the diffie-hellman-group1-sha1
algorithm if possible. Consult your vendor's documentation.



Changes

the RFE that provides this support in Oracle Solaris is:

4406914 Support draft-ietf-secsh-dh-group-exchange-01


from Patch ID: 117177-02

SunSSH in Solaris 10 and 11 already have support for the diffie-hellman-exchange-group-sha1 algorithm so no patch is required on these hosts.

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms