Navigate

Check: GEN005506

IRIX 6.5: GEN005506 (in versions v1 r1 through v1 r0.6)

Title

The SSH daemon must be configured to not use Cipher-Block Chaining (CBC) ciphers. (Cat II impact)

Discussion

The Cipher-Block Chaining (CBC) mode of encryption as implemented in the SSHv2 protocol is vulnerable to chosen plain text attacks and must not be used.

Check Content

Check the SSH daemon configuration for allowed ciphers. # grep -i ciphers /etc/ssh/sshd_config | grep -v '^#' # grep -i ciphers /etc/openssh/sshd_config | grep -v '^#' If no lines are returned, or the returned ciphers list contains any cipher ending with cbc, this is a finding.

Fix Text

Edit /etc/ssh/sshd_config and add or edit the "Ciphers" line. Only include ciphers that start with "3des" or "aes" and do not contain "cbc". For the list of available ciphers for the particular version of your software, consult the sshd_config manpage. Restart the SSH daemon.

Additional Identifiers

Rule ID:

Vulnerability ID: V-22459

Group Title:

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.

Number	Definition
CCI-000366	The organization implements the security configuration settings.

Controls

Controls tied to check. These are derived from the CCIs shown above.

Number	Title
CM-6	Configuration Settings