Plugin : SSH Server CBC Mode Ciphers Enabled
Solu : Contact the vendor or consult product documentation to disable CBC mode cipher encryption, and enable CTR or GCM cipher mode encryption.
Des :The SSH server is configured to support Cipher Block Chaining (CBC) encryption. This may allow an attacker to recover the plaintext message from the ciphertext.
Note that this plugin only checks for the options of the SSH server and does not check for vulnerable software versions.
The SSH server is configured to use Cipher Block Chaining.
https://access.redhat.com/solutions/420283
The correct solution is for RHEL 8 its working fine. https://access.redhat.com/solutions/4410591
above link content
SSH vulnerabilities: HMAC algorithms and CBC ciphers on RHEL 8
SOLUTION VERIFIED - Updated November 11 2019 at 6:54 PM - English
Environment
Red Hat Enterprise Linux 8
OpenSSH
Issue
The following vulnerabilities were received on RHEL8 servers:
Raw
SSH Insecure HMAC Algorithms Enabled
SSH CBC Mode Ciphers Enabled
Below is the update from a security scanner regarding the vulnerabilities
Vulnerability Name: SSH Insecure HMAC Algorithms Enabled
Description: Insecure HMAC Algorithms are enabled
Solution:
Disable any 96-bit HMAC Algorithms.Disable any MD5-based HMAC Algorithms.
Raw
Vulnerability Name: SSH CBC Mode Ciphers Enabled
Description: CBC Mode Ciphers are enabled on the SSH Server.
Solution: Disable CBC Mode Ciphers and use CTR Mode Ciphers
Resolution
CRYPTO_POLICY
In order to remove the CBC ciphers and HMAC-MD5 MACs in RHEL 8, first we will need to enable SSHD specific CRYPTO_POLICY rather than using the system-wide policy. To do so, we will need to uncomment the line with the CRYPTO_POLICY= variable in /etc/sysconfig/sshd.
Open /etc/sysconfig/sshd and change:
Raw
# CRYPTO_POLICY=
to:
Raw
CRYPTO_POLICY=
CBC Ciphers
Next we will need to implement the SSHD specific policy for CBC ciphers. You can do this by adding or modifying the following lines in /etc/ssh/sshd_config for RHEL 8:
Raw
Ciphers=aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr
GSSAPIKexAlgorithms=gss-gex-sha1-,gss-group14-sha1-
KexAlgorithms=curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
HostKeyAlgorithms=rsa-sha2-256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,rsa-sha2-512,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com
PubkeyAcceptedKeyTypes=rsa-sha2-256,ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,rsa-sha2-512,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com
Restart sshd to apply the changes:
Raw
# systemctl restart sshd
# systemctl status sshd
MD5 HMACs
In order to remove HMAC MD5, add or modify the MACs line in /etc/ssh/sshd_config as below.
Raw
MACs=hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,umac-128@openssh.com,hmac-sha2-512
Restart sshd to apply the changes:
Raw
# systemctl restart sshd
# systemctl status sshd
References
HMAC MD5 Documentation
RHEL 8 Ciphers and MAC information from sshd_config man page:
Raw
# man sshd_config
Ciphers
Specifies the ciphers allowed. Multiple ciphers must be comma-separated. If the specified value begins with a ‘+’ character, then the specified ciphers will be appended to the default set instead of replacing them. If the specified value begins with a ‘-’ character, then the specified ciphers (including wildcards) will be removed from the default set instead of replacing them.
The default is:
chacha20-poly1305@openssh.com,
aes128-ctr,aes192-ctr,aes256-ctr,
aes128-gcm@openssh.com,aes256-gcm@openssh.com
MACs
Specifies the available MAC (message authentication code) algorithms. The MAC algorithm is used for data integrity protection. Multiple algorithms must be comma-separated. If the specified value begins with a ‘+’ character, then the specified algorithms will be appended to the default set instead of replacing them. If the specified value begins with a ‘-’ character, then the specified algorithms (including wildcards) will be removed from the default set instead of replacing them.
The default is:
umac-64-etm@openssh.com,umac-128-etm@openssh.com,
hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
hmac-sha1-etm@openssh.com,
umac-64@openssh.com,umac-128@openssh.com,
hmac-sha2-256,hmac-sha2-512,hmac-sha1
Root Cause
The CBC modes of ciphers in OpenSSH were vulnerable to Plaintext Recovery Attack (2009). The implementation differentiates among various types of errors during decryption of SSH binary packet, which makes it possible to decrypt some of the information without knowledge of the encryption key.
The attack is not practical and very hard to carry on. Probability of successful recovering 32 bits of plain text is roughly 2-18. This also means that to recover 32 bits the attacker would need to modify 218 SSH connections, in which all the unsuccessful attempts lead to the connection failure.
This vulnerability was mitigated in update for 2009 (OpenSSH 5.2 release notes) to make the above attacks infeasible according to upstream, but even though these ciphers were removed from the default list offered by OpenSSH in 2014 (OpenSSH 6.7 release notes).
Using these ciphers in CBC mode should not be a problem in normal use cases (users gets suspicious after couple hundred thousands disconnects), but can be an issue for automated jobs automatically re-running after unexpected failure. The CBC modes should be avoided while running automated jobs or while processing very sensitive data.
Diagnostic Steps
On RHEL8:
To test if weak CBC ciphers are enabled, run the below command:
Raw
# ssh -vv -oCiphers=3des-cbc,aes128-cbc,aes192-cbc,aes256-cbc <server>
Replace with the IP address of your server.
If successful, it will prompt for a password. This means weak ciphers are enabled.
If it fails, you should receive a message like this:
Raw
Unable to negotiate with <server> port 22: no matching cipher found. Their offer: aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr
This means the mitigations are working properly.
To test if weak MAC algorithms are enabled, run the below command:
Raw
# ssh -vv -oMACs=hmac-md5,hmac-md5-96,hmac-sha1,hmac-sha1-96,hmac-md5-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha1-96-etm@openssh.com,umac-64-etm@openssh.com <server>
RHEL8 default ciphers include a number which have implicit MACs, testing like above will actually negotiate successfully and securely even though it would appear it is using hmac-md5. Look for the concluding negotiation where you will see something like:
Raw
debug1: kex: server->client cipher: aes256-gcm@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: aes256-gcm@openssh.com MAC: <implicit> compression: none
This means the mitigations are working properly.
Product(s) Red Hat Enterprise LinuxComponent opensshCategory ConfigureTags ssh
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
0 Comments