A security finding is showing that the servers are using vulnerable ciphers, specifically cipher block chaining.
Finding Name:
SSH Server CBC Mode Ciphers Enabled
Synopsis:
The SSH server is configured to use Cipher Block Chaining
Description:
The SSH server is configured to support Cipher Block Chaining (CBC) encryption. This may allow an attacker to recover the plaintext message from the ciphertext.
Note that this plugin only checks for the options of the SSH server and does not check for vulnerable software versions.
Solution:
Contact the vendor or consult product documentation to disable CBC mode cipher encryption, and enable CTR or GCM cipher mode encryption.
Details:
The following client-to-server Cipher Block Chaining (CBC) algorithms
are supported :
3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
Release : 14.X
Component : CA IDENTITY SUITE (VIRTUAL APPLIANCE)
CVE-2008-5161 (SSH Server CBC Mode Ciphers Enabled) was addressed in the initial release of vApp 14.2.
vApp version 14.3 also has CBC mode ciphers disabled and is not vulnerable.
However, vApp versions 14.4 and 14.4.1 have CBC mode ciphers enabled and are vulnerable.
This vulnerability was addressed in 14.4.2
If you are on 14.4.1, firstly apply CHF02 then open a support ticket and request HF_VA-14.4.1-20220824111817-DE543429.tgz patch
If you are on 14.4, firstly upgrade to 14.4.1, then apply CHF02, and after that request HF_VA-14.4.1-20220824111817-DE543429.tgz