The SSH Server CBC Mode Ciphers Enabled Vulnerability when detected with a vulnerability scanner will report it as a CVSS 3.7 (v3).
CVSS is a scoring system for vulnerability systems, its an industry standard scoring system to mark findings against a specific number ranging from 0 to 10. They are shown as:
The SSH server is configured to support Cipher Block Chaining (CBC) encryption. This may allow an attacker to recover the plain text message from the ciphertext. Note that this plugin only checks for the options of the SSH server and does not check for vulnerable software versions.
Contact the vendor or consult product documentation to disable CBC mode cipher encryption, and enable CTR or GCM cipher mode encryption.
You may contact the vendor or consult the product documentation to disable CBC mode cipher encryption, and enable CTR or GCM cipher mode encryption.
The following client-to-server CBC algorithms are supported:
3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
blowfish-cbc
cast128-cbc
The following server-to-client CBC algorithms are supported:
3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
blowfish-cbc
cast128-cbc
Edit /etc/ssh/sshd_config to include the following:
Ciphers aes256-gcm,aes128-gcm,aes256-ctr,aes192-ctr,aes128-ctr
Restart the SSH service with ‘sudo systemctl restart sshd’.