Thanks for the update, but

Gary Adamson · ‎06-14-2016

Hi All.

I just received an audit report with the following:

SSH Server CBC Mode Ciphers Enabled

The SSH server is configured to support Cipher Block Chaining (CBC) encryption.
This may allow an attacker to recover the plaintext message from the ciphertext.

Note that this plugin only checks for the options of the SSH server and does not check
for vulnerable software versions.

Contact the vendor or consult product documentation to disable CBC mode cipher encryption,
and enable CTR or GCM cipher mode encryption.

In researching this issue I have found information regarding the IOS devices, but not for the Nexus 7k which is running 6.2.(14). Is this a Nexus issue or just a poorly (fales positive) developed audit? Unfortunately, I am not experienced with the Nexus products and our Nexus admin is unavailable at this time.

Any recommendations or suggested reading would be greatly appreciated.

Thanks for any and all responses.

Karsten Iwen · ‎06-14-2016

In IOS it's possible to restrict the SSH-ciphers in the newer releases. As far as I know, it's not (yet) supported on NX-OS.

Gary Adamson · ‎07-08-2016

Thanks for your response. As always, any information is greatly appreciated.

Yasin Sahebdin · ‎07-08-2016

fixed for nexus platform via CSCun41202.

6.2(14) has the fix and it should log an error message if a client try to use weak cipher in ssh.

Gary Adamson · ‎07-08-2016

Thanks for the update, but our Nexus 7k is running 6.2(14) and is generating these error messages. What we are looking for is a way to disable CBC and enable CTR or GCM.

Again, thanks for your response.

Nexus Audit - "The SSH server is configured to use Cipher Block Chaining."