Guest

Preview Tool

Cisco Bug: CSCvv45989 - PI 3.8- Low SSH Server CBC Mode Ciphers Enabled

Last Modified

Oct 16, 2020

Products (1)

  • Cisco Prime Infrastructure

Known Affected Releases

3.8(1)

Description (partial)

Symptom:
In 3.6 customer has already disabled it and when he has upgraded into 3.8 we were able to see the issue. As a workaround we have done the changes in ssh_config file and removed the cbc extension entries from /etc/ssh/sshd_config.

After upgrading from PI 3.6 to PI 3.8 we could see that few of the legacy ciphers are enabled.

Low  SSH Server CBC Mode Ciphers Enabled

The SSH server is configured to support Cipher Block Chaining (CBC) encryption. This may allow an attacker to recover the plaintext message from the ciphertext.

Note that this plugin only checks for the options of the SSH server and does not check for vulnerable software versions.
Solution
Contact the vendor or consult product documentation to disable CBC mode cipher encryption, and enable CTR or GCM cipher mode encryption.

CVE:  CVE-2008-5161

The following client-to-server & server-to-client Cipher Block Chaining (CBC) algorithms
are supported : 

  3des-cbc
  aes128-cbc
  aes192-cbc
  aes256-cbc

Conditions:
PI 3.8
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.