Cryptography / SSH Weak Key Exchange Algorithms Enabled
Description
The remote SSH server is configured to allow weak key exchange algorithms.
The IETF draft document Key Exchange (KEX) Method Updates and Recommendations for Secure Shell (SSH) draft-ietf-curdle-ssh-kex-sha2-20, Section 4 lists guidance on key exchange algorithms that SHOULD NOT and MUST NOT be enabled. This includes among others:
diffie-hellman-group-exchange-sha1
diffie-hellman-group1-sha1
gss-gex-sha1-*
gss-group1-sha1-*
gss-group14-sha1-*
rsa1024-sha1
Risk
The SSH key exchange algorithm is fundamental to keep the protocol secure. It is what allows two previously unknown parties to generate a shared key in plain sight, and have that secret remain private to the client and server.
Over time, some implementations of this algorithm have been identified as weak or vulnerable.
Solution
Contact the vendor or consult product documentation to disable the weak algorithms.