• Security scanner has determined that weak cipher is in use when communicating over port 1167
  
  
• Flagged cipher is ECDHE-RSA-AES128-SHA256 and ECDHE-RSA-AES256-SHA384 complains about CBC mode. 

• A vulnerability scan report has description as "The remote host supports the use of SSL ciphers that operate in Cipher Block Chaining (CBC) mode. These cipher suites offer additional security over Electronic Codebook (ECB) mode but have the potential to leak information if used improperly."

VMware NSX

The issue is known and fixed in release versions of NSX 4.2.4, 9.1.1.1 and later versions. 

To prevent exposing weak ciphers from the DHCP server, please follow below recommendations as a workaround:

- Use a standalone edge node for DHCP service.

When using standalone edge, the DHCP server would not expose 1167 port, but the DHCP server and router would have no backup. 

- Use of firewall rules to restrict communication of external systems and enforcing communication of peer edges only over port 1167.