08-07-2019 11:39 AM - edited 02-21-2020 09:22 AM
I got below vulnerability in one of the FTD 2110 configured as Transparent Firewall
Vulnerability :: SSH Server CBC Mode Ciphers Enabled.
The SSH server is configured to support Cipher Block Chaining (CBC) encryption. This may allow an attacker to recover the plaintext message from the ciphertext.
The following server-to-client Cipher Block Chaining (CBC) algorithms are supported : aes256-cbc
Contact the vendor or consult product documentation to disable CBC mode cipher encryption, and enable CTR or GCM cipher mode encryption.
Question is how can I validate and disable this vulnerability at FTD 2110 ?
01-03-2020 10:18 AM
Did you ever get answer to this ?
Thanks.
Alan
01-03-2020 11:47 AM
Hi @Daragh Oman
This has been resolved on new Firepower versions, more information here. I've checked my FTD and FMC running 6.5 and CBC is not enabled.
admin@ftd1:~$ cat /etc/ssh/sshd_config | grep -e Ciphers -e MAC -e Kex
Ciphers aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes256-ctr,aes128-ctr,aes192-ctr
# [selection: AEAD_AES_128_GCM, AEAD_AES_256_GCM, no other MAC algorithms]
# as its MAC algorithm(s) and rejects all other MAC algorithm(s).
MACs hmac-sha2-256,hmac-sha2-512,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256
admin@ftd1:~$
HTH
03-14-2022 09:57 AM
I have this vulnerability as well. Running 6.6.5.1 on the FTDs. When I cat the file, it does show the CBC ciphers enabled.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: