Vulnerability scan shows Messaging Gateway SSH service vulnerable to CVE-2016-2183

book

Article ID: 221016

calendar_today

Updated On:

Products

Messaging Gateway

Issue/Introduction

This vulnerability is commonly referred to as the Sweet32 or Birthday attack.

In its default configuration the Messaging Gateway (SMG) SSH server will allow connection using CBC ciphers which may be considered insecure by vulnerability scanners.

Resolution

CBC ciphers can be disabled for the SSH server by running the sshd-config command from admin command line interface (CLI) as follows:

sshd-config --cbc off

This will disconnect the SSH session as the SSH service is reconfigured and restarted. Following service restart the SSH service will no longer allow the use of CBC ciphers for connection. This can be confirmed by logging back into the CLI and running the sshd-config command with no options:

smg [10.7.4-13]> sshd-config
Allows protocol version 1
Support for CBC ciphers is DISABLED
Support for limited MACs (hmac-sha2-256,hmac-sha2-512) is ENABLED

Note: Some older SSH clients may no longer be able to connect to the SMG CLI following the removal of the CBC ciphers from the allowed cipher list.