CBC ciphers and SSH vulnerabilities
Symptoms
When running a security scanner, you receive a message similar to:
The SSH server is configured to support Cipher Block Chaining (CBC) encryption.
This may allow an attacker to recover the plaintext message from the ciphertext.
Causes
This indicates that your environment is set up to allow CBC encryption, which can pose a security vulnerability.Resolving the problem
To resolve this, disable CBC cipher encryption and then enable CTR or GCM cipher mode encryption instead. To learn how to do this, consult the documentation for your SSH server.
Guardium® Insights supports these client-to-server and server-to-client CBC algorithms:
3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
blowfish-cbc
cast128-cbc