Hi All
How to fix “Deprecated SSH Cryptographic Settings vulnerability” in servers by bigfix?
QID:38739 & 38738
Regards
AK
You’d probably need to explain how one would do that without BigFix first, even on a single machine. Links to instructions or CVEs might be useful as well. I don’t know what a QID is.
Hi
QID is the qualys ID and solution from the qualys is remove the ciphers.
Please find it below
“Avoid using deprecated cryptographic settings.
Use best practices when configuring SSH.
Refer to Security of Interactive and Automated Access Management Using Secure Shell (SSH) (IR 7966, Security of Interactive and Automated Access Management Using Secure Shell (SSH) | CSRC) .”
Regards
AK
Hi
Adding to that ,there is no CVE id for the same.
Regards
AK
I think I’ll need your help doing some of the homework on this. That’s a fifty page PDF you linked, and I’m not sure where one would find the particular setting(s) you’re talking about.
It’s very likely we have this already in one of the Compliance checklists, have you looked for it there?
Hi
Where is the compliance checklist?
what is the name for it?
There are a lot of different Compliance checklists.
I still don’t know specifically what setting you’re asking about but I think it might match this example from the CIS Checklist for CentOS Linux 8, where the sshd should not override the system-wide crypto settings…
What OS are the servers in question running? Methods to adjust SSH cryptographic settings will typically vary by the SSH server. The detailed results of the vulnerability findings may help on a case by case basis to better understand the SSH server(s) in question, and how to adjust SSH crypto configs…which can then help with preparing automation within BigFix to fix them (if we don’t have content for it already).