Re: Expressway 12.7.1 remove/disable CBC ciphers for SSH

themizzz21 · ‎02-15-2022

Hello,

A penetration test revieled that ssh on expressways have CBC mode ciphers enabled and they asked to disable this.

Pen test result: "We have managed to identify that the SSH server running on the remote host is configured to support Cipher Block Chaining (CBC) encryption."

Pen test recommendation: "You should disable the CBC mode cipher encryption and enable CTR or GCM cipher mode encryption instead."

The CLI command "xconfiguration // cipher" shows

xConfiguration Ciphers sshd_ciphers Value: "aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr"

Is there any CLI command that could disable the proposal of aes256-cbc ciphers

Thank you very much,

b.winter · ‎02-15-2022

I think, it's possible to edit (add, delete) the ciphers via GUI.

I currently don't have access to an EXP to give you the correct page-path.

But be careful when editing them. There maybe some interop issues to other systems then. Good advice is to take a backup first or note down the changes.

themizzz21 · ‎02-15-2022

Hi,

The ssh page regarding ciphers is completely different than the other protocols(https, sip etc).

As far as I can see there is no way to delete/disable ssh ciphers within gui.

Thanks.

b.winter · ‎02-15-2022

But there is a different page for SSH configuration under "Maintenance" --> "Security" --> "SSH Configuration":

themizzz21 · ‎02-15-2022

The 12.7.1 version has no "Remote Access Configuration"

What is your version?

Thank you.

b.winter · ‎02-15-2022

I'm on a version X14.0.5