Some security vulnerability in N9K

Leftz — Mon, 15 Aug 2022 21:38:59 GMT

Hi we got report from Qualys. The description is like the below. The device is N9000. Not sure if this is an issue. Anyone can have some comments on this? Do we need to take care of it? Thank you

Cisco Nexus Switch host scanned, found vuln 38739 Deprecated SSH Cryptographic Settings Active Vuln 3 22 tcp 44738.84913 44780.85259 6 "Avoid using deprecated cryptographic settings.

Use best practices when configuring SSH.

Refer to Security of Interactive and Automated Access Management Using Secure Shell (SSH) (https://protect-us.mimecast.com/s/qFNbC9rE8jUk5YJqFEbdzA?domain=csrc.nist.gov) .

Settings currently considered deprecated:

<DL>

<DT>Ciphers using CFB of OFB</DT>

<DD>Very uncommon, and deprecated because of weaknesses compared to newer cipher chaining modes such as CTR or GCM</DD>

<DT>RC4 cipher (arcfour, arcfour128, arcfour256)</DT>

<DD>The RC4 cipher has a cryptographic bias and is no longer considered secure</DD>

<DT>Ciphers with a 64-bit block size (DES, 3DES, Blowfish, IDEA, CAST)</DT>

<DD>Ciphers with a 64-bit block size may be vulnerable to birthday attacks (Sweet32)</DD>

<DT>Key exchange algorithms using DH group 1 (diffie-hellman-group1-sha1, gss-group1-sha1-*)</DT>

<DD>DH group 1 uses a 1024-bit key which is considered too short and vulnerable to Logjam-style attacks</DD>

<DT>Key exchange algorithm ""rsa1024sha1""</DT>

<DD>Very uncommon, and deprecated because of the short RSA key size</DD>

<DT>MAC algorithm ""umac-32""</DT>

<DD>Very uncommon, and deprecated because of the very short MAC length</DD>

<DT>Cipher ""none""</DT>

<DD>This is available only in SSHv1</DD>

</DL>" "Type Name

topic Some security vulnerability in N9K in Network Security

Some security vulnerability in N9K