Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-22462 | GEN005511 | SV-35193r1_rule | ECSC-1 | Medium |
Description |
---|
The CBC mode of encryption as implemented in the SSHv2 protocol is vulnerable to chosen plaintext attacks and must not be used. |
STIG | Date |
---|---|
HP-UX 11.31 Security Technical Implementation Guide | 2017-12-08 |
Check Text ( C-36637r1_chk ) |
---|
Check the SSH client configuration for allowed ciphers. Note that keywords are case-insensitive and arguments (args) are case-sensitive. keyword=Ciphers arg(s)= Default values include: "aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr,3des-cbc,arcfour,arcfour128,arcfour256blowfish-cbc,cast128-cbc". For this check, the only allowed keyword values are those from the above list with the "aes" prefix and the "-ctr" suffix. Note: When the default "arg" value exactly matches the required "arg" value (see above), the Examine the file. # cat /opt/ssh/etc/ssh_config | tr '\011' ' ' | tr -s ' ' | sed -e 's/^[ \t]*//' | grep -v '^#' | grep -i "ciphers" If the returned ciphers list contains any cipher other than those with the "aes" prefix and the "-ctr" suffix, this is a finding. |
Fix Text (F-32008r1_fix) |
---|
Edit the configuration file and remove any ciphers other than those with the "aes" prefix and the "-ctr" suffix. |