https://community.cisco.com/t5/network-security/cisco-asa-open-ssh-vulnerability/m-p/2795610#M174337 <P>Hi All,</P> <P></P> <P>On one of our Cisco ASA 5525 we are having OS of &nbsp;<SPAN style="font-size: 11.0pt; font-family: 'Calibri','sans-serif'; color: #1f497d;">asa912-smp-k8.bin , but &nbsp;it has a BUG Related to OPEN SSH,&nbsp;</SPAN></P> <P><SPAN style="font-size: 11.0pt; font-family: 'Calibri','sans-serif'; color: #1f497d;">BUG ID:&nbsp;<SPAN>CSCul78967 and CVE ID:&nbsp;CVE-2008-5161, Bug Tool Shows no work around for this please share your inputs on this!!!!</SPAN></SPAN></P> <P><SPAN style="font-size: 11.0pt; font-family: 'Calibri','sans-serif'; color: #1f497d;"><SPAN></SPAN></SPAN></P> <P><SPAN style="font-size: 11.0pt; font-family: 'Calibri','sans-serif'; color: #1f497d;"><SPAN><A href="https://tools.cisco.com/bugsearch/bug/CSCul78967/?referring_site=bugquickviewredir" target="_blank">https://tools.cisco.com/bugsearch/bug/CSCul78967/?referring_site=bugquickviewredir</A></SPAN></SPAN></P> <P><SPAN style="font-size: 11.0pt; font-family: 'Calibri','sans-serif'; color: #1f497d;"><SPAN></SPAN></SPAN></P> <P><FONT color="#1f497d" face="Calibri, sans-serif"><SPAN style="font-size: 14.6667px;">Bug Is all about below details:</SPAN></FONT></P> <P><FONT color="#1f497d" face="Calibri, sans-serif"><SPAN style="font-size: 14.6667px;">Please share your Valuable inputs...!!!!</SPAN></FONT></P> <TABLE style="border-collapse: collapse;"> <TBODY> <TR style="height: 41.65pt;"> <TD width="204" style="width: 152.95pt; padding: 0in 5.4pt 0in 5.4pt; height: 41.65pt;"> <P><SPAN style="font-size: 10.0pt;">1. SSH Weak MAC Algorithms Enabled 2. SSH Server CBC Mode Ciphers Enabled </SPAN></P> </TD> <TD width="169" style="width: 126.55pt; padding: 0in 5.4pt 0in 5.4pt; height: 41.65pt;"> <P><SPAN style="font-size: 10.0pt;">SSH is configured to allow MD5 and 96-bit MAC algorithms. </SPAN></P> </TD> </TR> </TBODY> </TABLE> Tue, 12 Mar 2019 06:59:06 GMT shrinad146 2019-03-12T06:59:06Z https://community.cisco.com/t5/network-security/cisco-asa-open-ssh-vulnerability/m-p/2795610#M174337 <P>Hi All,</P> <P></P> <P>On one of our Cisco ASA 5525 we are having OS of &nbsp;<SPAN style="font-size: 11.0pt; font-family: 'Calibri','sans-serif'; color: #1f497d;">asa912-smp-k8.bin , but &nbsp;it has a BUG Related to OPEN SSH,&nbsp;</SPAN></P> <P><SPAN style="font-size: 11.0pt; font-family: 'Calibri','sans-serif'; color: #1f497d;">BUG ID:&nbsp;<SPAN>CSCul78967 and CVE ID:&nbsp;CVE-2008-5161, Bug Tool Shows no work around for this please share your inputs on this!!!!</SPAN></SPAN></P> <P><SPAN style="font-size: 11.0pt; font-family: 'Calibri','sans-serif'; color: #1f497d;"><SPAN></SPAN></SPAN></P> <P><SPAN style="font-size: 11.0pt; font-family: 'Calibri','sans-serif'; color: #1f497d;"><SPAN><A href="https://tools.cisco.com/bugsearch/bug/CSCul78967/?referring_site=bugquickviewredir" target="_blank">https://tools.cisco.com/bugsearch/bug/CSCul78967/?referring_site=bugquickviewredir</A></SPAN></SPAN></P> <P><SPAN style="font-size: 11.0pt; font-family: 'Calibri','sans-serif'; color: #1f497d;"><SPAN></SPAN></SPAN></P> <P><FONT color="#1f497d" face="Calibri, sans-serif"><SPAN style="font-size: 14.6667px;">Bug Is all about below details:</SPAN></FONT></P> <P><FONT color="#1f497d" face="Calibri, sans-serif"><SPAN style="font-size: 14.6667px;">Please share your Valuable inputs...!!!!</SPAN></FONT></P> <TABLE style="border-collapse: collapse;"> <TBODY> <TR style="height: 41.65pt;"> <TD width="204" style="width: 152.95pt; padding: 0in 5.4pt 0in 5.4pt; height: 41.65pt;"> <P><SPAN style="font-size: 10.0pt;">1. SSH Weak MAC Algorithms Enabled 2. SSH Server CBC Mode Ciphers Enabled </SPAN></P> </TD> <TD width="169" style="width: 126.55pt; padding: 0in 5.4pt 0in 5.4pt; height: 41.65pt;"> <P><SPAN style="font-size: 10.0pt;">SSH is configured to allow MD5 and 96-bit MAC algorithms. </SPAN></P> </TD> </TR> </TBODY> </TABLE> Tue, 12 Mar 2019 06:59:06 GMT https://community.cisco.com/t5/network-security/cisco-asa-open-ssh-vulnerability/m-p/2795610#M174337 shrinad146 2019-03-12T06:59:06Z https://community.cisco.com/t5/network-security/cisco-asa-open-ssh-vulnerability/m-p/2795611#M174338 <P>Hi there,</P> <P>For v9.1(2) ASA-OS use the comman:</P> <P></P> <PRE class="prettyprint">no ssl &lt;cipher&gt; </PRE> <P>...to disable the suite you don't want.</P> <P>http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/S/cmdref3/s16.html#pgfId-1562163</P> <P></P> <P>cheers,</P> <P>Seb.</P> <P></P> <P></P> Thu, 03 Dec 2015 08:34:08 GMT https://community.cisco.com/t5/network-security/cisco-asa-open-ssh-vulnerability/m-p/2795611#M174338 Seb Rupik 2015-12-03T08:34:08Z https://community.cisco.com/t5/network-security/cisco-asa-open-ssh-vulnerability/m-p/2795612#M174339 <P>Hi Shrinad,</P> <P>You can run the command " show ssh sessions detail" to check which encryption and HMAC it uses for each ssh connection.</P> <P>if you are above 9.1.2 there are enahancement in the SSH encryption where aes-CTR is supported. Please refer&nbsp;</P> <P>http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/release/notes/asarn91.html#pgfId-685480</P> <P>There is no workaround for this. This is different than the SSL encryption where we can disable some of the encryption.</P> <P>Thanks,<BR />Shivapramod M<BR />Please remember to select a correct answer and rate helpful posts</P> Thu, 03 Dec 2015 09:47:16 GMT https://community.cisco.com/t5/network-security/cisco-asa-open-ssh-vulnerability/m-p/2795612#M174339 Shivapramod M 2015-12-03T09:47:16Z