SSH Server CBC Mode Ciphers Enabled

JohanGonzalez4730 · ‎11-16-2021

After a pentest I got this low vulnerability on some access points:

CVE-2008-5161

Description: The SSH server is configured to support Cipher Block Chaining (CBC)
encryption. This may allow an attacker to recover the plaintext message
from the ciphertext.

Note that this plugin only checks for the options of the SSH server and
does not check for vulnerable software versions.

Solution: Contact the vendor or consult product documentation to disable CBC mode
cipher encryption, and enable CTR or GCM cipher mode encryption.

Is there a way to remediate this? or the workaround is just disable SSH on APs?

JohanGonzalez4730 · ‎11-16-2021

WLC 2504 version 8.5.171.0

APs 3802I

The vulnerability was only found on the AP side.

Scott Fella · ‎11-16-2021

You should reach out to TAC and see if there is a command you can run. I know there is a command on the controllers to disable weak ciphers, but don't know if that is available for ap's. It's probably best to just disable ssh and only enable it if and when you need it. You can always run a debug ap command, then you don't have to ssh.

debug ap <ap name>

debug ap command "<your command>" <ap name>

-Scott
*** Please rate helpful posts ***

izi · ‎10-11-2022

Hi Scott,

Good day to you. You mentioned "I know there is a command on the controllers to disable weak ciphers",

Can you share the command please?
I faced this same issue but on WLC, been searching for a while now.

Appreciate your help.