CCE-91240-2| Platform: cpe:/o:ubuntu:ubuntu_linux:14.04 | Date: (C)2017-03-14 (M)2023-07-04 |
Use Only Approved Cipher in Counter Mode (Scored)
This variable limits the types of ciphers that SSH can use during communication.
Parameter:
[cipher_list]
Technical Mechanism:
Based on research conducted at various institutions, it was determined that the symmetric portion of the SSH Transport Protocol (as described in RFC 4253) has security weaknesses that allowed recovery of up to 32 bits of plaintext from a block of ciphertext that was encrypted with the Cipher Block Chaining (CBD) method. From that research, new Counter mode algorithms (as described in RFC4344) were designed that are not vulnerable to these types of attacks and these algorithms are now recommended for standard use.
Fix:
Edit the /etc/ssh/sshd_config file to set the parameter as follows:
Ciphers aes128-ctr,aes192-ctr,aes256-ctr
| CCSS Severity: | CCSS Metrics: |
| CCSS Score : 6.4 | Attack Vector: ADJACENT_NETWORK |
| Exploit Score: 0.5 | Attack Complexity: HIGH |
| Impact Score: 5.9 | Privileges Required: HIGH |
| Severity: MEDIUM | User Interaction: NONE |
| Vector: AV:A/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H | Scope: UNCHANGED |
| | Confidentiality: HIGH |
| | Integrity: HIGH |
| | Availability: HIGH |
| | |
References: | Resource Id | Reference |
|---|
| SCAP Repo OVAL Definition | oval:org.secpod.oval:def:33938 |
