Skip to main content
All CollectionsRemediations
SSH Weak Key Exchange Algorithms Enabled (Linux) Vulnerability
SSH Weak Key Exchange Algorithms Enabled (Linux) Vulnerability
Alan Butcher avatar
Written by Alan Butcher
Updated over a week ago

The SSH Weak Key Exchange Algorithms Enabled Vulnerability when detected with a vulnerability scanner will report it as a CVSS 3.7 (v3).

CVSS is a scoring system for vulnerability systems, its an industry standard scoring system to mark findings against a specific number ranging from 0 to 10. They are shown as:

Weak Key Exchange Algorithms use components with fundamental security flaws. There are only two primary reasons they are be regarded as ‘weak’:

  1. The algorithm uses SHA1.

  2. The algorithm uses RSA 1024-bit modulus keys.

When flaws were identified in SHA1, it was believed this could potentially impact SSH security. An attack against the protocol would carry an extreme level of difficulty and would be nearly impossible to conduct in practice.

Despite the unlikeliness of an attack occurring, using encryption algorithms with known weaknesses such as SHA1 will raise a Low Risk issue on a network penetration test.

Per IETF guidance, below is a list of known weak algorithms:

  • diffie-hellman-group-exchange-sha1

  • Diffie-hellman-group1-sha1

  • gss-gex-sha1-*

  • gss-group1-sha1-*

  • rsa1024-sha1

Edit /etc/ssh/sshd_config to include the following:

KexAlgorithms [email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256

Restart the SSH service with ‘sudo systemctl restart sshd’.

Did this answer your question?