KB Article #181247

How to disable the SSH Server CBC Mode Ciphers?

Problem

How to disable the SSH Server CBC Mode Ciphers?

Our security audit solution reportes CVE-2008-5161 (rated low)

Resolution

For the SFTP server in CFT, the default cipher list is aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-cbc,aes128-cbc.

You can remove the cbc ciphers in the list.

See parameter CIPHLIST of the CFTSSH DIRECT=SERVER

CIPHLIST = {(num, num, ..)} List of allowed ciphers (encryption methods).
Each value defines three algorithms: * Authentication algorithm

*Encryption algorithm
*Sealing algorithm

This list is compared with the list proposed by the client in order of preference, for the purpose of determining the suite to be negotiated.

Transfer CFT supports the following: aes256-ctr, aes192-ctr, aes128-ctr, aes256-cbc, aes192-cbc, aes128-cbc, 3des-cbc, blowfish-cbc.

Note
If the field is empty, the default list is: aes256-ctr, aes192-ctr, aes128-ctr, aes256-cbc, aes192-cbc, aes128-cbc.

General Information

Published:

19 October 2020

Last Modified:

19 October 2020

Affected OS

win-x86-64

win-x86-32

win-ia64-64

vms-ia64

vms-alpha

uxw-x86-32

tru64-alpha-64

sun-x86-64

sun-x86-32

sun-sparc-64

sun-sparc-32

sco-x86-32

os2200

linux-x86-64

linux-x86-32

linux-s390-64

linux-s390-32

linux-ia64-64

irix-mips-64

hpux-parisc-64

hpux-parisc-32

hpux-ia64-64

hpnonstop-x86-32

hpnonstop-ia64-32

aix-power-64

aix-power-32

Windows 3/95/98

Vse

Vos

Vms Itanium

Vms Alpha

Vms

Utower

UnixWare

Unisys

Ultrix

Ulsx6500

Ulsx5000

U6000

U3000

Tunix

Tru64

TI1500

Spix

Sinix

Sco

Qnx

Os2

OS400

Numa-Q

Netware

Mvs

MS/DOS

Linux z/Series

Linux Station x86

Linux Station Itanium

Guardian Itanium

Guardian

Gcos8

Gcos7

Gcos6

Ctos

Bs2000

Bos

Aviion

...Other

Problem

Resolution

Still need help?