CBC ciphers and SSH vulnerabilities

Symptoms

When running a security scanner, you receive a message similar to:

The SSH server is configured to support Cipher Block Chaining (CBC) encryption.
This may allow an attacker to recover the plaintext message from the ciphertext.

Causes

This indicates that your environment is set up to allow CBC encryption, which can pose a security vulnerability.

Resolving the problem

To resolve this, disable CBC cipher encryption and then enable CTR or GCM cipher mode encryption instead. To learn how to do this, consult the documentation for your SSH server.

Guardium® Insights supports these client-to-server and server-to-client CBC algorithms:

  • 3des-cbc
  • aes128-cbc
  • aes192-cbc
  • aes256-cbc
  • blowfish-cbc
  • cast128-cbc