The SSH Weak MAC Algorithms Enabled Vulnerability when detected with a vulnerability scanner will report it as a CVSS 3.7 (v3).
CVSS is a scoring system for vulnerability systems, its an industry standard scoring system to mark findings against a specific number ranging from 0 to 10. They are shown as:
The remote SSH server is configured to allow either MD5 or 96-bit MAC algorithms, both of which are considered weak. As with most encryption schemes, SSH MAC algorithms are used to validate data integrity and authenticity. A ‘MAC algorithm’ should not be conflated with a MAC (Message Authentication Code) as these are two distinct components. The MAC algorithm uses a message and private key to generate the fixed length MAC.
MAC algorithms may be considered weak for the following reasons:
A known weak hashing function is used (MD5)
The digest length is too small (Less than 128 bits)
The tag size is too small (Less than 128 bits)
The following client-to-server vulnerable Message Authentication Code (MAC) algorithms
are supported :
hmac-md5
hmac-md5-96
hmac-md5-96
hmac-md5
hmac-sha1-96
hmac-sha1-96
The following server-to-client vulnerable Message Authentication Code (MAC) algorithms
are supported :
hmac-md5
hmac-md5
hmac-md5
hmac-md5
hmac-sha1-96
hmac-sha1-96
Edit /etc/ssh/sshd_config to include the following:
MACs hmac-sha2-256,hmac-sha2-512,hmac-sha2-256,umac-128
Restart the SSH service with ‘sudo systemctl restart sshd’.