The SSH Weak Key Exchange Algorithms Enabled Vulnerability when detected with a vulnerability scanner will report it as a CVSS 3.7 (v3).
CVSS is a scoring system for vulnerability systems, its an industry standard scoring system to mark findings against a specific number ranging from 0 to 10. They are shown as:
Weak Key Exchange Algorithms use components with fundamental security flaws. There are only two primary reasons they are be regarded as ‘weak’:
The algorithm uses SHA1.
The algorithm uses RSA 1024-bit modulus keys.
When flaws were identified in SHA1, it was believed this could potentially impact SSH security. An attack against the protocol would carry an extreme level of difficulty and would be nearly impossible to conduct in practice.
Despite the unlikeliness of an attack occurring, using encryption algorithms with known weaknesses such as SHA1 will raise a Low Risk issue on a network penetration test.
Per IETF guidance, below is a list of known weak algorithms:
diffie-hellman-group-exchange-sha1
Diffie-hellman-group1-sha1
gss-gex-sha1-*
gss-group1-sha1-*
rsa1024-sha1
Edit /etc/ssh/sshd_config to include the following:
KexAlgorithms [email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256
Restart the SSH service with ‘sudo systemctl restart sshd’.