RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1818103 - SSH Server CBC Mode Ciphers Enabled in RHCOS
Summary: SSH Server CBC Mode Ciphers Enabled in RHCOS
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: crypto-policies
Version: 8.1
Hardware: Unspecified
OS: Unspecified
low
medium
Target Milestone: rc
: 8.0
Assignee: Tomas Mraz
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-03-27 17:16 UTC by Sara Ferguson
Modified: 2023-09-07 22:38 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-03-31 07:38:08 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-40113 0 None None None 2023-09-07 22:38:02 UTC

Comment 1 Colin Walters 2020-03-27 17:25:08 UTC 
With any bug like this, the first question to ask is:

Why are they enabled in RHEL by default?  Is it worth carrying an override just for RHCOS?
Comment 2 Micah Abbott 2020-03-27 18:40:53 UTC 
I happened to have a RHEL8 VM booted in OpenStack and it behaves the same way.  This looks like it should be a RHEL bug.

```
$ sshq -l cloud-user 10.0.149.74
Warning: Permanently added '10.0.149.74' (ECDSA) to the list of known hosts.
Activate the web console with: systemctl enable --now cockpit.socket
                                                                       
This system is not registered to Red Hat Insights. See https://cloud.redhat.com/                                                                                                                                                                                                            
To register this system, run: insights-client --register 
                                                                       
Last login: Wed Mar 11 12:07:15 2020 from 10.18.41.196  
[cloud-user@micah-rhel8-1105a ~]$ cat /etc/os-release 
NAME="Red Hat Enterprise Linux"
VERSION="8.1 (Ootpa)"                                                                                                                         
ID="rhel"                                                                                                                                     
ID_LIKE="fedora"                                                                                                                              
VERSION_ID="8.1"                         
PLATFORM_ID="platform:el8"                                                                                                                                                                                                                                                                  
PRETTY_NAME="Red Hat Enterprise Linux 8.1 (Ootpa)"                                                                                            
ANSI_COLOR="0;31"                                                                                                                                                                                                                                                                           
CPE_NAME="cpe:/o:redhat:enterprise_linux:8.1:GA"                                                                                              
HOME_URL="https://www.redhat.com/"               
BUG_REPORT_URL="https://bugzilla.redhat.com/"                          
                                                                                                                                                                                                                                                                                            
REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 8"                                                                                                                                                                                                                                        
REDHAT_BUGZILLA_PRODUCT_VERSION=8.1                 
REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux"                      
REDHAT_SUPPORT_PRODUCT_VERSION="8.1"                                   
[cloud-user@micah-rhel8-1105a ~]$ rpm -q openssh
openssh-8.0p1-4.el8_1.x86_64
[cloud-user@micah-rhel8-1105a ~]$ sudo sshd -T | grep -i cipher
ciphers chacha20-poly1305,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm,aes256-gcm       
[cloud-user@micah-rhel8-1105a ~]$ exit                    
logout                                 
Connection to 10.0.149.74 closed.

$ sshq -l cloud-user 10.0.149.74 -c  aes256-cbc -vvv                                       
OpenSSH_8.0p1, OpenSSL 1.1.1d FIPS  10 Sep 2019                                                                                               
debug1: Reading configuration data /home/miabbott/.ssh/config                                                                                 
debug1: Reading configuration data /etc/ssh/ssh_config      
- - - - - - - - -8<- - - - - - - - -
debug2: ciphers ctos: aes256-cbc                 
debug2: ciphers stoc: aes256-cbc
- - - - - - - - -8<- - - - - - - - -
debug2: ciphers ctos: aes256-gcm,chacha20-poly1305,aes256-ctr,aes256-cbc,aes128-gcm,aes128-ctr,aes128-cbc 
debug2: ciphers stoc: aes256-gcm,chacha20-poly1305,aes256-ctr,aes256-cbc,aes128-gcm,aes128-ctr,aes128-cbc
- - - - - - - - -8<- - - - - - - - -
Activate the web console with: systemctl enable --now cockpit.socket

This system is not registered to Red Hat Insights. See https://cloud.redhat.com/
To register this system, run: insights-client --register

Last login: Fri Mar 27 14:34:45 2020 from 10.3.113.229
[cloud-user@micah-rhel8-1105a ~]$ 
```
Comment 4 Tomas Mraz 2020-03-30 16:26:00 UTC 
Please note that the vulnerability (fairly low impact one as described on http://www.openssh.com/txt/cbc.adv) exists only when the plain MAC algorithms are used (not the encrypt-then-mac algorithms with -etm). The cbc algorithms are also enabled for interoperability with other SSH implementations.

Jakub, perhaps we could disable them in other policies than LEGACY? Although that would be quite problematic to do given we have no special configuration value for SSH ciphers and disabling CBC ciphers everywhere is probably something we do not want to do.
Comment 5 Jakub Jelen 2020-03-30 16:35:01 UTC 
Well ... first of all, the original CVE from 2008 was fixed in 2009 to mitigate the attack to be unfeasible [1]:

> Probability of successful recovering 32 bits of plain text is roughly 2^-18

We have this well documented in the KBS [1].

Additionally, these are enabled only later in the list of supported algorithms for interoperability, so if both client and server are under your control (and support something reasonable) and you do not mess with configuration, they will never be negotiated (no, no, the algorithm negotiation is authenticated, which prevents its modification by man in the middle).

This means, there is really no security issue coming from this even if your scanner or random link on the internet says otherwise.

On the other hand, that they are no longer enabled in upstream openssh, which makes it little bit more pushing for us to follow the suit. I would not like to introduce another complexity to the crypto policies, but if Tomas is fine with that, we can change this.

[1] https://access.redhat.com/solutions/420283
Comment 6 Jakub Jelen 2020-03-30 16:36:28 UTC 
But certainly nothing we would be able to fix in OpenSSH now. Moving to crypto policies, which defines this default for us.
Comment 7 Colin Walters 2020-03-30 17:05:31 UTC 
One thing we should document though and be sure works is switching crypto policies via the MCO https://github.com/openshift/machine-config-operator/
And also an example for hardening SSH directly.
Comment 8 Tomas Mraz 2020-03-31 07:38:08 UTC 
(In reply to Colin Walters from comment #7)
> One thing we should document though and be sure works is switching crypto
> policies via the MCO https://github.com/openshift/machine-config-operator/
> And also an example for hardening SSH directly.

Please report that as an issue against the relevant documentation component.

Given the risk of disabling access to an RHEL-8 server for legacy clients that support only CBC modes I am afraid that dropping the CBC modes from even the DEFAULT policy would be too risky. I am thus closing this as WONTFIX for RHEL-8. For RHEL-9 I'd propose to drop the CBC modes from the SSH configs altogether. I will handle this change upstream.
Note You need to log in before you can comment on or make changes to this bug.