Vous êtes sur la page 1sur 4


SSH vulnerabilities: HMAC algorithms and CBC ciphers
SSH Insecure HMAC Algorithms Enabled
SSH CBC Mode Ciphers Enabled
Below is the update from NCircle regarding the vulnerabilities
Vulnerability Name: SSH Insecure HMAC Algorithms Enabled
Description: Insecure HMAC Algorithms are enabled
Disable any 96-bit HMAC Algorithms.Disable any MD5-based HMAC
Vulnerability Name: SSH CBC Mode Ciphers Enabled
Description: CBC Mode Ciphers are enabled on the SSH Server.
Solution: Disable CBC Mode Ciphers and use CTR Mode Ciphers
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
In order to remove the cbc ciphers, Add or modify the "Ciphers" line in
/etc/ssh/sshd_config as below:
# default is aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,
# aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,
# aes256-cbc,arcfour
# you can removed the cbc ciphers by adding the line
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,arcfour
In order to remove HMAC MD5 Add or modify the MACs line in
Page 1

/etc/ssh/sshd_config as below :
# default is
# you can remove the hmac-md5 MACs with
MACs hmac-sha1,hmac-ripemd160
Restart SSHD to apply the changes:
# service sshd restart
References: http://csrc.nist.gov/archive/ipsec/papers/rfc2403-hmacmd5.txt
Algorithm and Mode
[RFC-1321] describes the underlying MD5 algorithm, while [RFC-2104]
describes the HMAC algorithm. The HMAC algorithm provides a framework
for inserting various hashing algorithms such as MD5.
HMAC-MD5-96 operates on 64-byte blocks of data. Padding requirements
are specified in [RFC-1321] and are part of the MD5 algorithm. If
MD5 is built according to [RFC-1321], there is no need to add any
additional padding as far as HMAC-MD5-96 is concerned. With regard
to "implicit packet padding" as defined in [AH], no implicit packet
padding is required.
HMAC-MD5-96 produces a 128-bit authenticator value. This 128-bit
value can be truncated as described in RFC 2104. For use with either
ESP or AH, a truncated value using the first 96 bits MUST be
supported. Upon sending, the truncated value is stored within the
authenticator field. Upon receipt, the entire 128-bit value is
computed and the first 96 bits are compared to the value stored in
the authenticator field. No other authenticator value lengths are
supported by HMAC-MD5-96.
The length of 96 bits was selected because it is the default
authenticator length as specified in [AH] and meets the security
requirements described in [RFC-2104].
# man sshd_config
Page 2

Specifies the ciphers allowed for protocol version 2. Multiple ciphers
must be comma-separated.
The supported ciphers are 3des-cbc, aes128-cbc, aes192-cbc,
aes256-cbc, aes128-ctr,
aes192-ctr, aes256-ctr, arcfour128, arcfour256, arcfour,
blowfish-cbc, and
cast128-cbc. The default is:

MACs Specifies the available MAC (message authentication code)

algorithms. The MAC algorithm is used in
protocol version 2 for data integrity protection. Multiple algorithms
must be comma-separated.
The default is hmacmd5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96.
Probably, after above change putty may not be able to contact server with an
error like "couldn't agree a client-to-server cipher (available aes128-ctr etc.....)
as it's default security parameter has changed. In such case, modify putty
setting as mentioned over here
Diagnostic Steps
To test if HMAC or CBC are enabled, run the below commands.
#ssh -vv -oCiphers=aes128-cbc,3des-cbc,blowfish-cbc <server>
#ssh -vv -oMACs=hmac-md5 <server>
At the end of the output you should see the messages as below.
no matching cipher found: client aes128-cbc,3des-cbc,blowfish-cbc

Page 3

no matching mac found: client hmac-md5 server hmac-sha1,hmac-ripemd160

Page 4