topic Re: Change cipher in cisco devices in Network Security

Change cipher in cisco devices

Leftz — Wed, 10 Aug 2022 14:37:09 GMT

Hi Please see the below. Command cannot be entered in C2900 switch. Is this switch not be supported or something else?

Thank you

A01(config)#do sh ip ssh
SSH Enabled - version 2.0
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 1024 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded):
ssh-rsa AAAAB3NzaC1yc2EAAAADndtyyuiugharwrtvvgbsyjyuiiuohjfghjr5BN0
b8Hvh9l+KJHw7GYPMGS9uCm2hdgjhdtydrutrynd5yxw==

Re: Change cipher in cisco devices

Rob Ingram — Wed, 10 Aug 2022 14:51:45 GMT

@Leftz this guide implies thats SSH ciphers is not configurable https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/12-2_40_se/configuration/guide/scg.pdf those commands would certainly work on newer IOS-XE images.

Re: Change cipher in cisco devices

Leftz — Wed, 10 Aug 2022 16:19:38 GMT

@Rob Ingram Thank you for your reply.

We have the below info. Is it possible to remediate the issue without upgrading ios? thanks

Deprecated SSH Cryptographic Settings port 22/tcp
QID:
38739
Category:
General remote services
Associated CVEs:
-
Vendor Reference
-
Bugtraq ID:
-
Service Modified:
05/26/2021
User Modified:
-
Edited:
No
PCI Vuln:
Yes
THREAT:
The SSH protocol (Secure Shell) is a method for secure remote login from one computer to another.
The target is using deprecated SSH cryptographic settings to communicate.

IMPACT:
A man-in-the-middle attacker may be able to exploit this vulnerability to record the communication to decrypt the session key and even the messages.
SOLUTION:
Avoid using deprecated cryptographic settings.
Use best practices when configuring SSH.

Refer to Security of Interactive and Automated Access Management Using Secure Shell (SSH) .

Settings currently considered deprecated:

Ciphers using CFB of OFB
Very uncommon, and deprecated because of weaknesses compared to newer cipher chaining modes such as CTR or GCM
RC4 cipher (arcfour, arcfour128, arcfour256)
The RC4 cipher has a cryptographic bias and is no longer considered secure
Ciphers with a 64-bit block size (DES, 3DES, Blowfish, IDEA, CAST)
Ciphers with a 64-bit block size may be vulnerable to birthday attacks (Sweet32)
Key exchange algorithms using DH group 1 (diffie-hellman-group1-sha1, gss-group1-sha1-*)
DH group 1 uses a 1024-bit key which is considered too short and vulnerable to Logjam-style attacks
Key exchange algorithm "rsa1024sha1"
Very uncommon, and deprecated because of the short RSA key size
MAC algorithm "umac-32"
Very uncommon, and deprecated because of the very short MAC length
Cipher "none"
This is available only in SSHv1
COMPLIANCE:
Not Applicable
EXPLOITABILITY:
There is no exploitability information for this vulnerability.
ASSOCIATED MALWARE:
There is no malware information for this vulnerability.
RESULTS:
Type Name
key exchange diffie-hellman-group1-sha1
cipher 3des-cbc

Re: Change cipher in cisco devices

Rob Ingram — Wed, 10 Aug 2022 16:26:12 GMT

@Leftz apply a VTY line ACL that limits SSH access to the switch to trusted networks (IT VLANs or dedicated Jump servers etc) will reduce the attack surface. Ideally you'd replace the hardware with something newer that supports stronger ciphers.

Re: Change cipher in cisco devices

MHM Cisco World — Fri, 12 Aug 2022 19:10:40 GMT

....

Re: Change cipher in cisco devices

Leftz — Fri, 12 Aug 2022 18:48:09 GMT

Thank you!