Detections
Analytics

5.2.15 Ensure sshd MACs are configured

Information

This variable limits the types of MAC algorithms that SSH can use during communication.

More information about the openSSH server configuration is available in the "Configure SSH Server" section overview.

MD5 and 96-bit MAC algorithms are considered weak and have been shown to increase exploitability in SSH downgrade attacks. Weak algorithms continue to have a great deal of attention as a weak spot that can be exploited with expanded computing power. An attacker that breaks the algorithm could take advantage of a MiTM position to decrypt the SSH tunnel and capture credentials and information.

Solution

- Edit the /etc/ssh/sshd_config file and add/modify the MACs line to contain a comma separated allow list of the site unapproved (strong) MACs:

Example:

MACs [email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
 - - IF - CVE-2023-48795 has not been reviewed and addressed, the following etm MACs should be added to the exclude list: [email protected] mailto:[email protected], [email protected] mailto:[email protected], [email protected] mailto:[email protected]

Impact:

Incorrectly configured or an overly restrictive list of MACs could lead to a "no matching MAC" error during an SSH connection. This means the client and server have no overlapping MAC algorithms which typically occurs due to a mismatch in supported MACs.

See Also

https://workbench.cisecurity.org/benchmarks/25279

Item Details

Category: ACCESS CONTROL, CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|AC-17(2), 800-53|CM-1, 800-53|CM-2, 800-53|CM-6, 800-53|CM-7, 800-53|IA-5, 800-53|IA-5(1), 800-53|SC-8, 800-53|SC-8(1), CSCv7|14.4, CSCv7|16.5

Plugin: Unix

Control ID: 0ee8edf7212ddc982782351d042c5db0a1ea9a7c3f40bb3c4a9b5a4b3e684f3e