Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7582
Views
15
Helpful
3
Replies

SSH Server CBC Mode Ciphers Enabled -- Need to Disable at FTD 2110

subrun.jamil
Level 1
Level 1

‎08-07-2019 11:39 AM - edited ‎02-21-2020 09:22 AM

I got below vulnerability in one of the FTD 2110 configured as Transparent Firewall

 

Vulnerability :: SSH Server CBC Mode Ciphers Enabled.

 

The SSH server is configured to support Cipher Block Chaining (CBC) encryption. This may allow an attacker to recover the plaintext message from the ciphertext.

 

The following server-to-client Cipher Block Chaining (CBC) algorithms are supported : aes256-cbc

 

Contact the vendor or consult product documentation to disable CBC mode cipher encryption, and enable CTR or GCM cipher mode encryption.

 

Question is how can I validate and disable this vulnerability at FTD 2110 ? 

3 people had this problem
Labels:
0 Helpful
3 Replies 3

Daragh Oman
Level 1
Level 1

‎01-03-2020 10:18 AM

Did you ever get answer to this ?

Thanks.

Alan

0 Helpful

Rob Ingram
VIP
VIP
In response to Daragh Oman

‎01-03-2020 11:47 AM

Hi @Daragh Oman 

This has been resolved on new Firepower versions, more information here. I've checked my FTD and FMC running 6.5 and CBC is not enabled.

 

admin@ftd1:~$ cat /etc/ssh/sshd_config | grep -e Ciphers -e MAC -e Kex
Ciphers aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes256-ctr,aes128-ctr,aes192-ctr
# [selection: AEAD_AES_128_GCM, AEAD_AES_256_GCM, no other MAC algorithms]
# as its MAC algorithm(s) and rejects all other MAC algorithm(s).
MACs hmac-sha2-256,hmac-sha2-512,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256
admin@ftd1:~$

 

HTH

Jimmy_Dickson
Level 1
Level 1
In response to Rob Ingram

‎03-14-2022 09:57 AM

I have this vulnerability as well.  Running 6.6.5.1 on the FTDs.  When I cat the file, it does show the CBC ciphers enabled.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card