VA scan for gateway reports CBC ciphers or weak key exchange algorithms or weak mac algorithms
search cancel

VA scan for gateway reports CBC ciphers or weak key exchange algorithms or weak mac algorithms

book

Article ID: 265141

calendar_today

Updated On:

Products

CA API Developer Portal CA API Gateway

Issue/Introduction

VA team has scanned the portal servers and reported the following vulnerabilities.

vulnerabilities Names:

SSH Server CBC Mode Ciphers Enabled
SSH Weak Key Exchange Algorithms Enabled

 

Environment

API Portal Supported releases.

Resolution

1. Add following lines to the /etc/ssh/sshd_config to specify strong ciphers and key Exchange Algorithms explicitly,

#disable CBC mode ciphers

Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected],[email protected]

#disable diffie-hellman-group-exchange-sha1, diffie-hellman-group1-sha1

KexAlgorithms diffie-hellman-group14-sha1,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,curve25519-sha256,[email protected]

#disable weak mac algorithms

MACs hmac-sha2-256,hmac-sha2-512

 

2. Restart the SSH server

systemctl restart sshd