Does vulnerability CVE-2016-2183 impact the Messaging Gateway?
Article ID: 221016
Updated On:
Products
Issue/Introduction
Vulnerability CVE-2016-2183 is commonly referred to as the Sweet32 or Birthday attack.
In its default configuration the Messaging Gateway (SMG) SSH server will allow connection using CBC ciphers which may be considered insecure by vulnerability scanners.
Resolution
CBC ciphers can be disabled for the SSH server by running the sshd-config command from admin command line interface (CLI) as follows:
Version 10.7.5 and newer
reference [10.8.0-7]> sshd-config --ciphers 'aes128-ctr,aes192-ctr,aes256-ctr'
Previous setting for Ciphers:
3des-cbc,blowfish-cbc,cast128-cbc,aes128-cbc,aes192-cbc,aes256-cbc,[email protected],aes128-ctr,aes192-ctr,aes256-ctr
New setting for Ciphers:
aes128-ctr,aes192-ctr,aes256-ctr
Do you wish to make this change? (yes/no) yes
Versions 10.7.4 and previous
sshd-config --cbc off
This will disconnect the SSH session as the SSH service is reconfigured and restarted. Following service restart the SSH service will no longer allow the use of CBC ciphers for connection. This can be confirmed by logging back into the CLI and running the sshd-config command with no options:
smg [10.7.4-13]> sshd-config
Allows protocol version 1
Support for CBC ciphers is DISABLED
Support for limited MACs (hmac-sha2-256,hmac-sha2-512) is ENABLED
Note: Some older SSH clients may no longer be able to connect to the SMG CLI following the removal of the CBC ciphers from the allowed cipher list.
Fore more details on how to secure your Messaging Gateway refer to the knowledge article.
Feedback
