Customer may see following Plugin name or Vulnerabilities on their security assessment report. Below table is example one, but the plugin name will be same for all customer
Plugin Name
SSH Server CBC Mode Ciphers Enabled
Plugin Output: The following client-to-server Cipher Block Chaining (CBC) algorithms are supported : 3des-cbc aes128-cbc aes256-cbc des-cbc The following server-to-client Cipher Block Chaining (CBC) algorithms are supported : 3des-cbc aes128-cbc aes256-cbc des-cbc
SSH Weak MAC Algorithms Enabled
The following client-to-server Message Authentication Code (MAC) algorithms are supported : hmac-md5 hmac-md5-96 hmac-sha1-96 The following server-to-client Message Authentication Code (MAC) algorithms are supported : hmac-md5 hmac-md5-96 hmac-sha1-96
For ssh, there is no way to disable the CBC cipher. However the client can use SSH2 to communicate with the switch and choose the cipher as below for better security.
The below example will be applicable only for Com7 models . On COM5 router , where we don’t have SSH2 support . Due to this we cannot select the cipher suite to disable the weak MAC algorithm and CBC Ciphers. This is the limitations on this device and we don’t have option to fix this vulnerabilities.
[5940-133-32]ssh2 algorithm cipher ?
3des-cbc 3DES-CBC
aes128-cbc AES128-CBC
aes128-ctr AES128-CTR
aes128-gcm AES128_GCM
aes192-ctr AES192-CTR
aes256-cbc AES256-CBC
aes256-ctr AES256-CTR
aes256-gcm AES256_GCM
des-cbc DES-CBC
Config Example for SSH:
==
ssh server enable
undo ssh server compatible-ssh1x enable
ssh2 algorithm cipher aes128-ctr aes192-ctr aes256-ctr aes128-gcm aes256-gcm
ssh2 algorithm mac sha1 sha2-256 sha2-512
==
#COM7#SSHWeakMACAlgorithms#COM5#HPEswitch#SSHVulnerabilities.SSHServerCBCMode