Are the Maverick APIs susceptible to the SSH CBC Vulnerability?

Are any versions of Maverick susceptible the SSH CBC vulnerability? 

http://www.kb.cert.org/vuls/id/958563

The nature of the CBC vulnerability means any application that uses CBC is vulnerable. As the note points out the way to secure against the use of CBC is to use CTR mode ciphers.

If you want to ensure this happens then the only method is to remove the use of CBC ciphers from our APIs. The following code should do that leaving only CTR ciphers available. Note this should work for both J2SSH Maverick and Maverick SSHD, where sshContext variable is either a Ssh2Context (J2SSH Maverick) or SshContext (Maverick SSHD)

// Remove chaining block ciphers
sshContext.supportedCiphersCS().remove("aes128-cbc");
sshContext.supportedCiphersCS().remove("aes192-cbc");
sshContext.supportedCiphersCS().remove("aes256-cbc");
sshContext.supportedCiphersCS().remove("blowfish-cbc");
sshContext.supportedCiphersCS().remove("3des-cbc");

sshContext.supportedCiphersSC().remove("aes128-cbc");
sshContext.supportedCiphersSC().remove("aes192-cbc");
sshContext.supportedCiphersSC().remove("aes256-cbc");
sshContext.supportedCiphersSC().remove("blowfish-cbc");
sshContext.supportedCiphersSC().remove("3des-cbc");

// Remove ARCFOUR
sshContext.supportedCiphersSC().remove("arcfour");
sshContext.supportedCiphersSC().remove("arcfour128");
sshContext.supportedCiphersSC().remove("arcfour256");

sshContext.supportedCiphersCS().remove("arcfour");
sshContext.supportedCiphersCS().remove("arcfour128");
sshContext.supportedCiphersCS().remove("arcfour256");

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.