UCF STIG Viewer Logo

The SSH client must be configured to not use Cipher-Block Chaining (CBC)-based ciphers.


Overview

Finding ID Version Rule ID IA Controls Severity
V-22462 GEN005511 SV-46017r1_rule Medium
Description
The (CBC) mode of encryption as implemented in the SSHv2 protocol is vulnerable to chosen-plaintext attacks and must not be used.
STIG Date
SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide 2018-09-19

Details

Check Text ( C-43294r1_chk )
Check the SSH client configuration for allowed ciphers.
# grep -i ciphers /etc/ssh/ssh_config | grep -v '^#'
If no lines are returned, or the returned ciphers list contains any cipher ending with "cbc", this is a finding.
Fix Text (F-39381r1_fix)
Edit the SSH client configuration and remove any ciphers ending with "cbc". If necessary, add a "Ciphers" line.