search cancel

Symantec Identity Manager - CVE-2008-5161 - SSH Server CBC Mode Ciphers Enabled

book

Article ID: 188223

calendar_today

Updated On:

Products

CA Identity Manager CA Identity Governance CA Identity Portal CA Identity Suite

Issue/Introduction

A security finding is showing that the servers are using vulnerable ciphers, specifically cipher block chaining.  

Finding Name:
SSH Server CBC Mode Ciphers Enabled

Synopsis:
The SSH server is configured to use Cipher Block Chaining

Description:
The SSH server is configured to support Cipher Block Chaining (CBC) encryption.  This may allow an attacker to recover the plaintext message from the ciphertext.

Note that this plugin only checks for the options of the SSH server and does not check for vulnerable software versions.

Solution:
Contact the vendor or consult product documentation to disable CBC mode cipher encryption, and enable CTR or GCM cipher mode encryption.

Details:


The following client-to-server Cipher Block Chaining (CBC) algorithms
are supported :

  3des-cbc
  aes128-cbc
  aes192-cbc
  aes256-cbc



Environment

Release : 14.X

Component : CA IDENTITY SUITE (VIRTUAL APPLIANCE)

Cause

CVE-2008-5161 (SSH Server CBC Mode Ciphers Enabled) which was addressed in the initial release of vAPP 14.2. As of 14.2, CBC ciphers are disabled in sshd.

Resolution

The vulnerability was addressed in the initial release of vAPP 14.2. As of 14.2, CBC ciphers are disabled in sshd.


Additional Information

This will be fixed in 14.4CP2, if you are on 14.4CP1, first apply CHF2 then open a ticket and request HF_VA-14.4.1-20220824111817-DE543429.tgz