Uploaded image for project: 'JBoss BPMS Platform'
  1. JBoss BPMS Platform
  2. RHBPMS-5259

[GSS] (6.4.z) unable to disable weak CBC ciphers and HMAC

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Duplicate Issue
    • Affects Version/s: 6.4.11.GA
    • Fix Version/s: None
    • Component/s: Business Central
    • Labels:
    • Environment:
      • BPMS 6.4.11
      • RHPAM 7.1.1
    • Target Release:
    • Fix Build:
      CR1
    • Steps to Reproduce:
      Hide

      run the following command against git ssh port to check available ciphers and macs.

      1. nmap --script ssh2-enum-algos -sV -p 8001 localhost

      or

      try to connect to the port by ssh client with these weak ciphers and mac

      1. ssh -vv -oCiphers=aes128-cbc,3des-cbc,blowfish-cbc -p 8001 <server>
      2. ssh -vv -oMACs=hmac-md5 -p 8001 <server>

      Relevant knowledge about how to disable these for sshd of RHEL:
      https://access.redhat.com/solutions/420283

      Show
      run the following command against git ssh port to check available ciphers and macs. nmap --script ssh2-enum-algos -sV -p 8001 localhost or try to connect to the port by ssh client with these weak ciphers and mac ssh -vv -oCiphers=aes128-cbc,3des-cbc,blowfish-cbc -p 8001 <server> ssh -vv -oMACs=hmac-md5 -p 8001 <server> Relevant knowledge about how to disable these for sshd of RHEL: https://access.redhat.com/solutions/420283
    • Security Sensitive Issue:
      This issue is security relevant

      Description

      Per recent vulnerability scan by Nessus, it's been found that an git SSH Server
      of Business Central has the following vulnerabilities.

      1. CBC Mode Ciphers Enabled -

      The SSH server is configured to use Cipher Block Chaining.

      The following client-to-server Cipher Block Chaining (CBC) algorithms
      are supported :
      aes192-cbc
      aes256-cbc
      The following server-to-client Cipher Block Chaining (CBC) algorithms
      are supported :
      aes192-cbc
      aes256-cbc

      2. SSH Weak MAC Algorithms Enabled -

      The remote SSH server is configured to allow MD5 and 96-bit MAC algorithms.

      The following client-to-server Message Authentication Code (MAC) algorithms
      are supported :
      hmac-md5
      hmac-md5-96
      hmac-sha1-96
      The following server-to-client Message Authentication Code (MAC) algorithms
      are supported :
      hmac-md5
      hmac-md5-96
      hmac-sha1-96

      But there is no feature to disable/customize these ciphers and mac algorithms.

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  mdessi Massimiliano Dessi
                  Reporter:
                  hiroko Hiroko Miura
                  Tester:
                  Tomas David
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  2 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: