Showing results for 
Search instead for 
Did you mean: 

SSH Server CBC Mode Ciphers Enabled

After a pentest I got this low vulnerability on some access points:


Description: The SSH server is configured to support Cipher Block Chaining (CBC)
encryption.  This may allow an attacker to recover the plaintext message
from the ciphertext.

Note that this plugin only checks for the options of the SSH server and
does not check for vulnerable software versions.

Solution: Contact the vendor or consult product documentation to disable CBC mode
cipher encryption, and enable CTR or GCM cipher mode encryption.


Is there a way to remediate this? or the workaround is just disable SSH on APs?


2 Replies 2

WLC 2504 version

APs 3802I

The vulnerability was only found on the AP side.

Scott Fella
Hall of Fame Guru Hall of Fame Guru
Hall of Fame Guru

You should reach out to TAC and see if there is a command you can run.  I know there is a command on the controllers to disable weak ciphers, but don't know if that is available for ap's.  It's probably best to just disable ssh and only enable it if and when you need it.  You can always run a debug ap command, then you don't have to ssh.

debug ap <ap name>

debug ap command "<your command>" <ap name>

*** Please rate helpful posts ***
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers