Bug ID 1053949: AFM SSH proxy offering weak ciphers, the ciphers must be removed

Last Modified: Dec 20, 2023

Affected Product(s):
BIG-IP AFM(all modules)

Known Affected Versions:
14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 14.1.3.1, 14.1.4, 14.1.4.1, 14.1.4.2, 14.1.4.3, 14.1.4.4, 14.1.4.5, 14.1.4.6, 14.1.5, 14.1.5.1, 14.1.5.2, 14.1.5.3, 14.1.5.4, 14.1.5.6, 15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 15.1.5, 15.1.5.1, 15.1.6, 15.1.6.1, 15.1.7, 15.1.8, 15.1.8.1, 15.1.8.2, 15.1.9, 15.1.9.1, 15.1.10, 15.1.10.2, 15.1.10.3, 16.1.0, 16.1.1, 16.1.2, 16.1.2.1, 16.1.2.2, 16.1.3, 16.1.3.1, 16.1.3.2, 16.1.3.3, 16.1.3.4, 16.1.3.5, 16.1.4, 16.1.4.1, 16.1.4.2, 17.0.0, 17.0.0.1, 17.0.0.2

Fixed In:
17.1.0

Opened: Oct 11, 2021

Severity: 3-Major

Symptoms

AFM SSH Proxy is offering following weak ciphers: - hmac-sha1 - diffie-hellman-group14-sha1 - 3des-cbc

Impact

Selection of weak ciphers can break the the encryption scheme.

Conditions

- Configure virtual server with AFM SSH profile attached.

Workaround

None

Fix Information

The following three DB variables are made available to toggle the weak ciphers, by default the variable are disabled and if required they can be enabled explicitly: root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# list sys db sshplugin.enable_* sys db sshplugin.enable_3des_and_blowfish_ciphers { value "false" } sys db sshplugin.enable_dh_group14_sha1_kex_alg { value "false" } sys db sshplugin.enable_hmac_sha1_mac { value "false" }

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips