Check: GEN005506
Solaris 10 SPARC STIG:
GEN005506
(in versions v2 r4 through v1 r19)
Title
The SSH daemon must be configured to not use Cipher-Block Chaining (CBC) ciphers. (Cat II impact)
Discussion
The Cipher-Block Chaining (CBC) mode of encryption as implemented in the SSHv2 protocol is vulnerable to chosen plain text attacks and must not be used.
Check Content
Check the SSH daemon configuration for allowed ciphers. # grep -i ciphers /etc/ssh/sshd_config | grep -v '^#' If no lines are returned, or the returned ciphers list contains any cipher ending with cbc, this is a finding.
Fix Text
Edit /etc/ssh/sshd_config and add or edit the "Ciphers" line. Only include ciphers that start with "3des" or "aes" and do not contain "cbc". For the list of available ciphers for the particular version of your software, consult the sshd_config manpage. Restart the SSH daemon.
Additional Identifiers
Rule ID: SV-226987r603265_rule
Vulnerability ID: V-226987
Group Title: SRG-OS-000480
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
The organization implements the security configuration settings. |
Controls
Number | Title |
---|---|
CM-6 |
Configuration Settings |