Check: GEN005511
SOLARIS 9 SPARC STIG:
GEN005511
(in version v1 r12)
Title
The SSH client must be configured to not use CBC-based ciphers. (Cat II impact)
Discussion
The Cipher-Block Chaining (CBC) mode of encryption as implemented in the SSHv2 protocol is vulnerable to chosen plain text attacks and must not be used.
Check Content
Fix Text
Edit /etc/ssh/ssh_config and add or edit the "Ciphers" line. Only include ciphers that start with "3des" or "aes" and do not contain "cbc". For the list of available ciphers for the particular version of your software, consult the ssh_config manpage.
Additional Identifiers
Rule ID: SV-26755r1_rule
Vulnerability ID: V-22462
Group Title: GEN005511
Expert Comments
Expert comments are only available to logged-in users.
CCIs
CCIs tied to check.
| Number | Definition |
|---|---|
| CCI-000366 |
The organization implements the security configuration settings. |
Controls
Controls tied to check. These are derived from the CCIs shown above.
| Number | Title |
|---|---|
| CM-6 |
Configuration Settings |