On Thu, Oct 20, 2016 at 4:30 AM, Leonard den Ottolander <
leonard@xxxxxxxxxxxxxxxxx> wrote:
> Hello Clint,
>
> On Wed, 2016-10-19 at 11:28 +1300, Clint Dilks wrote:
> > The following weak client-to-server encryption algorithms are supported
> by
> > the remote service:
> > rijndael-cbc@xxxxxxxxxxxxxx
> > arcfour256
> > arcfour128
> > aes256-cbc
> > 3des-cbc
> > aes192-cbc
> > blowfish-cbc
> > cast128-cbc
> > arcfour
> > aes128-cbc
>
> Where did you get the idea that AES (~ Rijndael) is a weak cipher?
>
> RC4 (arcfour) is indeed considered insecure and Blowfish uses a block
> size that is too small for comfort. CAST-128 might still be quite usable
> and even though triple DES only provides about 80 bits of security it is
> still not considered broken.
>
> Regards,
> Leonard.
>
Morning Leonard,
I believe the vulnerability scan was done using OpenVAS
http://www.openvas.org/
Medium (CVSS: 4.3)
NVT: SSH Weak Encryption Algorithms Supported
Summary
The remote SSH server is configured to allow weak encryption algorithms.
Vulnerability Detection Result
The following weak client-to-server encryption algorithms are supported by
the remote service:
rijndael-cbc@xxxxxxxxxxxxxx
arcfour256
arcfour128
aes256-cbc
3des-cbc
aes192-cbc
blowfish-cbc
cast128-cbc
arcfour
aes128-cbc
The following weak server-to-client encryption algorithms are supported by
the remote service:
rijndael-cbc@xxxxxxxxxxxxxx
arcfour256
arcfour128
aes256-cbc
3des-cbc
aes192-cbc
blowfish-cbc
cast128-cbc
arcfour
aes128-cbc
Solution
Disable the weak encryption algorithms.
Vulnerability Insight
The ‘arcfour‘ cipher is the Arcfour stream cipher with 128-bit keys. The
Arcfour cipher is believed
to be compatible with the RC4 cipher [SCHNEIER]. Arcfour (and RC4) has
problems with weak
keys, and should not be used anymore.
The ‘none‘ algorithm specifies that no encryption is to be done. Note that
this method provides
no confidentiality protection, and it is NOT RECOMMENDED to use it.
A vulnerability exists in SSH messages that employ CBC mode that may allow
an attacker to
recover plaintext from a block of ciphertext.
Vulnerability Detection Method
Check if remote ssh service supports Arcfour, none or CBC ciphers.
Details:SSH Weak Encryption Algorithms Supported
OID:1.3.6.1.4.1.25623.1.0.105611
Version used: $Revision: 3160 $
References
Other:
URL:https://tools.ietf.org/html/rfc4253#section-6.3
URL:https://www.kb.cert.org/vuls/id/958563
Thanks
>
> --
> mount -t life -o ro /dev/dna /genetic/research
>
>
> _______________________________________________
> CentOS mailing list
> CentOS@xxxxxxxxxx
> https://lists.centos.org/mailman/listinfo/centos
>
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
