Vulnerability CVE-2016-2183 is commonly referred to as the Sweet32 or Birthday attack.
In its default configuration the Messaging Gateway (SMG) SSH server will allow connection using CBC ciphers which may be considered insecure by vulnerability scanners.
CBC ciphers can be disabled for the SSH server by running the sshd-config command from admin command line interface (CLI) as follows:
reference [10.8.0-7]> sshd-config --ciphers 'aes128-ctr,aes192-ctr,aes256-ctr'
Previous setting for Ciphers:
New setting for Ciphers:
Do you wish to make this change? (yes/no) yes
sshd-config --cbc off
This will disconnect the SSH session as the SSH service is reconfigured and restarted. Following service restart the SSH service will no longer allow the use of CBC ciphers for connection. This can be confirmed by logging back into the CLI and running the sshd-config command with no options:
smg [10.7.4-13]> sshd-config
Allows protocol version 1
Support for CBC ciphers is DISABLED
Support for limited MACs (hmac-sha2-256,hmac-sha2-512) is ENABLED
Note: Some older SSH clients may no longer be able to connect to the SMG CLI following the removal of the CBC ciphers from the allowed cipher list.