The SSH server is configured to support Cipher Block Chaining (CBC) encryption. This may allow an attacker to recover the plain text message from the ciphertext. Note that this plugin only checks for the options of the SSH server and does not check for vulnerable software versions.

Contact the vendor or consult product documentation to disable CBC mode cipher encryption, and enable CTR or GCM cipher mode encryption.

You may contact the vendor or consult the product documentation to disable CBC mode cipher encryption, and enable CTR or GCM cipher mode encryption.

• The following client-to-server CBC algorithms are supported:
  • 3des-cbc
  • aes128-cbc
  • aes192-cbc
  • aes256-cbc
  • blowfish-cbc
  • cast128-cbc
  • rijndael-cbc@lysator.liu.se
• The following server-to-client CBC algorithms are supported:
  • 3des-cbc
  • aes128-cbc
  • aes192-cbc
  • aes256-cbc
  • blowfish-cbc
  • cast128-cbc
  • rijndael-cbc@lysator.liu.se

Click image to enlarge.

For this vulnerability scan result, modify the configuration of SSHD to fix the issue:

1. Open sshd_config in /etc/ssh directory.
2. Remove the CBC ciphers under Ciphers to use “Ciphers aes256-ctr,aes192-ctr,aes128-ctr” only.

   

   Click image to enlarge.

   

   Click image to enlarge.

3. Save and quit.
4. Restart sshd service using the command:

   [root@imsva~#] service sshd restart

   

   Click image to enlarge.