BUG0217580 addressed an SSH vulnerability (CVE-2008-5161) involving when CBC algorithms are used in SSH connections (CBC Mode ...

Symptoms or Error

BUG0217580 addressed an SSH vulnerability (CVE-2008-5161) involving when CBC algorithms are used in SSH connections (CBC Mode Plaintext Recovery Vulnerability). The bug was reported when NetScaler 10.0 was still the newest version as NetScaler shipped with an affected version of OpenSSH.?? The NetScaler bug fix addresses the issue by forcing a different family of ciphers (AES CTR) to be favored and by adding countermeasures that make any CBC-vectored attack infeasible. Fresher builds of newer NetScaler versions (10.1, 10.5, 11.0) would have inherited these fixes.

However, though the related vulnerability cannot be exploited, there have been reports of customers opening a case on this concern as their NetScaler is flagging for the vulnerability.??In this example security scan, nmap executed against the NetScaler 11.0 build 64.34 appliance (NSIP shows SSH encryption algorithms that include those that are based on CBC and MAC algorithms based on md5 and 96-bit.

 c:\> nmap -script ssh2-enum-algos  Starting Nmap 7.11 ( https://nmap.org ) at 2016-03-25 16:35 Eastern Daylight Time Nmap scan report for Host is up (0.0012s latency).  [OUTPUT TRUNCATED FOR BREVITY]  |???? encryption_algorithms: (13) |???????????? aes128-ctr |???????????? aes192-ctr |???????????? aes256-ctr |???????????? arcfour256 |???????????? arcfour128 |???????????? aes128-cbc |???????????? 3des-cbc |???????????? blowfish-cbc |???????????? cast128-cbc |???????????? aes192-cbc |???????????? aes256-cbc |???????????? arcfour |???????????? rijndael-cbc@lysator.liu.se |???? mac_algorithms: (9) |?????????? ??hmac-md5 |???????????? hmac-sha1 |???????????? umac-64@openssh.com |???????????? hmac-sha2-256 |???????????? hmac-sha2-512 |???????????? hmac-ripemd160 |???????????? hmac-ripemd160@openssh.com |???????????? hmac-sha1-96 |???????????? hmac-md5-96



Though the NetScaler is protected by bugfix from an attack using the aforementioned exploit, false positive security scans can still serve as a thorn of annoyance for a customer.?? Therefore, a customer can take additional steps to reconfigure SSH so that future scans do not flag as false positives for the issue.

ADVISORY: These changes should only be attempted through the CONSOLE SESSION to prevent loss of access to the NetScaler.??Additionally, older versions of Java may fail to connect to the NetScaler 10.5 or 10.1 GUI if the NetScaler modified with these changes.


1) If the file sshd_config does not already exist in /nsconfig on the NetScaler, then copy the default version of the file to /nsconfig:??

 cp /etc/sshd_config /nsconfig/sshd_config


2) Modify sshd_config to ADD the following lines below to the end of the text (DO NOT REPLACE THE EXISTING TEXT, ONLY APPEND THE SUGGESTED TEXT):

 Ciphers aes128-ctr,aes192-ctr,aes256-ctr MACs hmac-sha1,hmac-ripemd160

3) Restart SSHD by killing the process. Note: The marks at the beginning and end of cat /var/run/sshd.pid are back quotes

 root# kill -HUP `cat /var/run/sshd.pid`

4) Ciphers reported by nmap should now reflect the new configuration.

 [OUTPUT TRUNCATED FOR BREVITY]  |???? encryption_algorithms: (3) |???????????? aes128-ctr |???????????? aes192-ctr |???????????? aes256-ctr |???? mac_algorithms: (2) |???????????? hmac-sha1 |???????????? hmac-ripemd160 

Problem Cause

The NetScaler is flagging for the vulnerability??likely because probes against the NetScaler NSIP using tools like nmap might still result in a report that the NetScaler is using vulnerable SSH ciphers. Typically, quick security scans will not actually attempt??to explicitly??verify??the undesired cipher can be successfully utilized for an actual ssh connection and subsequent exploit. The scan result might also include an additional flag for enabled weak MAC algorithms (based on md5 or 96-bit) but without trying to use the weak algorithms either.

Additional Resources

How to Make Changes to the Files in /etc/ Directory that Persists Across Reboots on NetScaler
http://support.ctx.org.cn/CTX124551.citrix -??http://support.ctx.org.cn/CTX124551.citrix

Applicable Products


Join the conversation

Citrix Discussions

Open a case

Citrix Support