topic Re: SSH Server CBC Mode Ciphers Enabled in Wireless

SSH Server CBC Mode Ciphers Enabled

JohanGonzalez4730 — Tue, 16 Nov 2021 15:44:29 GMT

After a pentest I got this low vulnerability on some access points:

CVE-2008-5161

Description: The SSH server is configured to support Cipher Block Chaining (CBC)
encryption. This may allow an attacker to recover the plaintext message
from the ciphertext.

Note that this plugin only checks for the options of the SSH server and
does not check for vulnerable software versions.

Solution: Contact the vendor or consult product documentation to disable CBC mode
cipher encryption, and enable CTR or GCM cipher mode encryption.

Is there a way to remediate this? or the workaround is just disable SSH on APs?

Re: SSH Server CBC Mode Ciphers Enabled

JohanGonzalez4730 — Tue, 16 Nov 2021 17:22:44 GMT

WLC 2504 version 8.5.171.0

APs 3802I

The vulnerability was only found on the AP side.

Re: SSH Server CBC Mode Ciphers Enabled

Scott Fella — Wed, 17 Nov 2021 02:32:28 GMT

You should reach out to TAC and see if there is a command you can run. I know there is a command on the controllers to disable weak ciphers, but don't know if that is available for ap's. It's probably best to just disable ssh and only enable it if and when you need it. You can always run a debug ap command, then you don't have to ssh.

debug ap <ap name>

debug ap command "<your command>" <ap name>

Re: SSH Server CBC Mode Ciphers Enabled

izi — Wed, 12 Oct 2022 03:54:28 GMT

Hi Scott,

Good day to you. You mentioned "I know there is a command on the controllers to disable weak ciphers",

Can you share the command please?
I faced this same issue but on WLC, been searching for a while now.

Appreciate your help.