Tenable CBC Plugin Reporting With CTR Enabled

jbulloch — Tue, 22 Oct 2024 13:51:01 GMT

Hi cisco community,

I will admit i was not sure rather to put this under security or switching. Recently, my company has decided to have a outside auditor come in whom uses tenable. One of these scans has hit two of our switches, a 9300 and 3560CX has having CBC enabled.

However both switches have confiqured as such:
(9300) ip ssh server algorithm encryption aes256-ctr aes192-ctr aes128-ctr

(3560) ip ssh server algorithm encryption aes256-ctr aes192-ctr aes128-ctr

Neither are using a CBC option. I asked for both to be ran again, and they both popped up positive again. I contacted tenable and was told to reach out to the vendor and ask for a security patch.

I've tried pushing everything on the switches to 512 but out corporate terminal client does not enjoy having the hostkey set that high.

The configs are as follows:

C9300-48U

ip ssh server authenticate user publickey
ip ssh server authenticate user keyboard
ip ssh server authenticate user password
no ip ssh server peruser session limit
ip ssh server certificate profile
ip ssh server algorithm mac hmac-sha2-512 hmac-sha2-256
ip ssh server algorithm encryption aes256-ctr aes192-ctr aes128-ctr
ip ssh server algorithm kex curve25519-sha256@libssh.org ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 diffie-hellman-group14-sha1
ip ssh server algorithm hostkey rsa-sha2-256 ssh-rsa
ip ssh server algorithm authentication publickey keyboard password
ip ssh server algorithm publickey x509v3-ssh-rsa ssh-rsa ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521 ssh-ed25519 x509v3-ecdsa-sha2-nistp256 x509v3-ecdsa-sha2-nistp384 x509v3-ecdsa-sha2-nistp521 rsa-sha2-256 rsa-sha2-512

WS-C3560CX-8PC-S

Is there another setting i am missing which would effect this hit? The plugin text is:

The SSH server is configured to support Cipher Block Chaining (CBC) encryption. This may allow an attacker to recover the plaintext message from the ciphertext."

Thank you for your assistance!

Re: Tenable CBC Plugin Reporting With CTR Enabled

Mark Elsen — Wed, 23 Oct 2024 06:45:01 GMT

- You can verify the enabled ciphers with : % nmap --script ssh2-enum-algos switchname
(nmap.org)

Re: Tenable CBC Plugin Reporting With CTR Enabled

jbulloch — Thu, 24 Oct 2024 18:38:56 GMT

marce,

Thanks for the input and while that is helpful i cannot run nmap in our environment.

Re: Tenable CBC Plugin Reporting With CTR Enabled

Mark Elsen — Thu, 24 Oct 2024 18:48:18 GMT

- The feeling around that argument is something I defy ; you
'don't run nmap in your environment' ;
you run a command as a technical authorized administrator on a single device to examine an issue.
Or what about all your other users who might have downloaded it already , and scanned your
network numerous times.....->?

topic Tenable CBC Plugin Reporting With CTR Enabled in Network Security

Tenable CBC Plugin Reporting With CTR Enabled

Re: Tenable CBC Plugin Reporting With CTR Enabled

Re: Tenable CBC Plugin Reporting With CTR Enabled

Re: Tenable CBC Plugin Reporting With CTR Enabled