Does vulnerability CVE-2016-2183 impact the Messaging Gateway?
search cancel

Does vulnerability CVE-2016-2183 impact the Messaging Gateway?


Article ID: 221016


Updated On:


Messaging Gateway


Vulnerability CVE-2016-2183 is commonly referred to as the Sweet32 or Birthday attack.

In its default configuration the Messaging Gateway (SMG) SSH server will allow connection using CBC ciphers which may be considered insecure by vulnerability scanners.


CBC ciphers can be disabled for the SSH server by running the sshd-config command from admin command line interface (CLI) as follows:

Version 10.7.5 and newer

reference [10.8.0-7]> sshd-config --ciphers 'aes128-ctr,aes192-ctr,aes256-ctr'
Previous setting for Ciphers:
        3des-cbc,blowfish-cbc,cast128-cbc,aes128-cbc,aes192-cbc,aes256-cbc,[email protected],aes128-ctr,aes192-ctr,aes256-ctr
New setting for Ciphers:

Do you wish to make this change? (yes/no) yes

Versions 10.7.4 and previous

sshd-config --cbc off

This will disconnect the SSH session as the SSH service is reconfigured and restarted. Following service restart the SSH service will no longer allow the use of CBC ciphers for connection. This can be confirmed by logging back into the CLI and running the sshd-config command with no options:

smg [10.7.4-13]> sshd-config
Allows protocol version 1
Support for CBC ciphers is DISABLED
Support for limited MACs (hmac-sha2-256,hmac-sha2-512) is ENABLED

Note: Some older SSH clients may no longer be able to connect to the SMG CLI following the removal of the CBC ciphers from the allowed cipher list.