NESSUS tool found below vulnerability on the scan of an HP-UX server.
70658 – SSH Server Weak and CBC Mode Ciphers Enabled
Synopsis
The SSH server is configured to use Cipher Block Chaining.
Description
The SSH server is configured to support Cipher Block Chaining (CBC) encryption. This may allow an attacker to recover the plaintext message from the ciphertext.
Note that this plugin only checks for the options of the SSH server and does not check for vulnerable software versions.
Solution
Disable SSH Server Weak and CBC Mode Ciphers: Follow the steps given below to disable ssh server weak and ssh server cbc mode ciphers on an HP-UX server.
- Default list of ciphers which contains weak ciphers are arcfour arcfour128 arcfour256 aes128-cbc 3des-cbc blowfish-cbc cast128-cbc aes192-cbc aes256-cbc
- Remove the default list of ciphers by editing the /opt/ssh/etc/sshd_config file and keep the only aes128-ctr,aes192-ctr,aes256-ctr ciphers.
# vi /opt/ssh/etc/sshd_config . . Ciphers aes128-ctr,aes192-ctr,aes256-ctr . . - Restart the ssh service using the below command.
# /sbin/init.d/secsh stop HP-UX Secure Shell stopped # /sbin/init.d/secsh start HP-UX Secure Shell started
- Once that was done and sshd was restarted, you can test for the issue like this:
# ssh -vv -oCiphers=aes128-cbc,3des-cbc,blowfish-cbc <server> - After disabling weak ciphers if you try ssh using these weak ciphers, you will get the below message:
# ssh -oCiphers=aes128-cbc,3des-cbc,blowfish-cbc 10.30.1.30 no matching cipher found: client aes128-cbc,3des-cbc,blowfish-cbc server aes128-ctr,aes192-ctr,aes256-ctr - Now, weak ciphers have been disabled on your HP-UX system.
Last Updated: June 24, 2021