Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1334
Views
3
Helpful
3
Replies

Cisco ASA - SSH D(HE)ater remediation

Go to solution
MarcoLazzarotto
Level 1
Level 1

‎05-23-2023 05:12 AM

One of our customer's Cisco ASA firewall was found vulnerable to "Diffie-Hellman Ephemeral Key Exchange DoS Vulnerability (SSH,
D(HE)ater)" following a vulnerability scan.

The CVE could either be CVE-2002-20001 or, most likely, CVE-2022-40735.

The firmware is ASA 9.15 and this is the SSH configuration (some redacted for privacy)

customer# show run ssh
ssh stricthostkeycheck
ssh timeout 10
ssh version 2
ssh key-exchange group dh-group14-sha1
ssh x.x.x.x 255.255.255.0 outside
ssh x.x.x.x 255.255.255.0 inside
ssh x.x.x.x 255.255.255.0 inside
ssh x.x.x.x 255.255.255.0 inside
ssh x.x.x.x 255.255.255.255 inside

I have no idea how to solve this problem, despite having read a dozen security blogs and documents of various kinds.

From what I found online, the solution would be to use "either elliptic-curve variant of Diffie-Hellman (ECDHE) or RSA key exchange", but the ASA supports only these key-exchange groups:

dh-group1-sha1 Diffie-Hellman group 2 (DEPRECATED)
dh-group14-sha1 Diffie-Hellman group-14-sha1
dh-group14-sha256 Diffie-Hellman group-14-sha256

 Any solutions available?

1 person had this problem
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎05-23-2023 06:14 AM

@MarcoLazzarotto upgrade to ASA 9.16 or higher, which have SSH security improvements. https://www.cisco.com/c/en/us/td/docs/security/asa/asa916/release/notes/asarn916.html

https://www.cisco.com/c/en/us/td/docs/security/asa/asa916/configuration/general/asa-916-general-config/admin-management.html?bookSearch=true

Set the Diffie-Hellman (DH) key exchange mode: ssh key-exchange group {curve25519-sha256 | dh-group1-sha1 | dh-group14-sha1 | dh-group14-sha256 | ecdh-sha2-nistp256

View solution in original post

3 Replies 3

Go to solution
Rob Ingram
VIP
VIP

‎05-23-2023 06:14 AM

@MarcoLazzarotto upgrade to ASA 9.16 or higher, which have SSH security improvements. https://www.cisco.com/c/en/us/td/docs/security/asa/asa916/release/notes/asarn916.html

https://www.cisco.com/c/en/us/td/docs/security/asa/asa916/configuration/general/asa-916-general-config/admin-management.html?bookSearch=true

Set the Diffie-Hellman (DH) key exchange mode: ssh key-exchange group {curve25519-sha256 | dh-group1-sha1 | dh-group14-sha1 | dh-group14-sha256 | ecdh-sha2-nistp256

Go to solution
MarcoLazzarotto
Level 1
Level 1
In response to Rob Ingram

‎05-23-2023 06:36 AM

Thank you @Rob Ingram 

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎05-23-2023 06:32 AM - edited ‎05-23-2023 06:37 AM

https://www.cisco.com/c/en/us/td/docs/security/asa/compatibility/asamatrx.html

first check the ASA platform with link above for the compatible with ver. higher than 9.15 
start from 9.16 the key exchange include elliptic  

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card