[CentOS] SSH Weak Ciphers

Clint Dilks clintd at waikato.ac.nz
Wed Oct 19 20:18:39 UTC 2016


On Thu, Oct 20, 2016 at 4:30 AM, Leonard den Ottolander <
leonard at den.ottolander.nl> wrote:

> Hello Clint,
>
> On Wed, 2016-10-19 at 11:28 +1300, Clint Dilks wrote:
> > The following weak client-to-server encryption algorithms are supported
> by
> > the remote service:
> > rijndael-cbc at lysator.liu.se
> > arcfour256
> > arcfour128
> > aes256-cbc
> > 3des-cbc
> > aes192-cbc
> > blowfish-cbc
> > cast128-cbc
> > arcfour
> > aes128-cbc
>
> Where did you get the idea that AES (~ Rijndael) is a weak cipher?
>
> RC4 (arcfour) is indeed considered insecure and Blowfish uses a block
> size that is too small for comfort. CAST-128 might still be quite usable
> and even though triple DES only provides about 80 bits of security it is
> still not considered broken.
>
> Regards,
> Leonard.
>


Morning Leonard,

I believe the vulnerability scan was done using OpenVAS
http://www.openvas.org/

Medium (CVSS: 4.3)
NVT: SSH Weak Encryption Algorithms Supported
Summary
The remote SSH server is configured to allow weak encryption algorithms.
Vulnerability Detection Result
The following weak client-to-server encryption algorithms are supported by
the remote service:
rijndael-cbc at lysator.liu.se
arcfour256
arcfour128
aes256-cbc
3des-cbc
aes192-cbc
blowfish-cbc
cast128-cbc
arcfour
aes128-cbc
The following weak server-to-client encryption algorithms are supported by
the remote service:
rijndael-cbc at lysator.liu.se
arcfour256
arcfour128
aes256-cbc
3des-cbc
aes192-cbc
blowfish-cbc
cast128-cbc
arcfour
aes128-cbc

Solution
Disable the weak encryption algorithms.
Vulnerability Insight
The ‘arcfour‘ cipher is the Arcfour stream cipher with 128-bit keys. The
Arcfour cipher is believed
to be compatible with the RC4 cipher [SCHNEIER]. Arcfour (and RC4) has
problems with weak
keys, and should not be used anymore.
The ‘none‘ algorithm specifies that no encryption is to be done. Note that
this method provides
no confidentiality protection, and it is NOT RECOMMENDED to use it.
A vulnerability exists in SSH messages that employ CBC mode that may allow
an attacker to
recover plaintext from a block of ciphertext.
Vulnerability Detection Method
Check if remote ssh service supports Arcfour, none or CBC ciphers.
Details:SSH Weak Encryption Algorithms Supported
OID:1.3.6.1.4.1.25623.1.0.105611
Version used: $Revision: 3160 $
References
Other:
URL:https://tools.ietf.org/html/rfc4253#section-6.3
URL:https://www.kb.cert.org/vuls/id/958563

Thanks



>
> --
> mount -t life -o ro /dev/dna /genetic/research
>
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos
>



More information about the CentOS mailing list