Solved: Re: DNA center SSH server ciphers

Dale Shaw · ‎03-20-2024

Hi, it has been raised following a penetration scan that the DNA center nodes could be susceptible to a terrapin attack caused by potentially using 'ChaCha20-Poly1305 or CBC with Encrypt-then-MAC' ciphers on the SSH server.

I'm wondering if there is a way to check the configured ciphers on the SSH server in the DNA center. And if they are in use how do configure it so that are removed from being used.

Thanks for your help

Torbjørn · ‎03-20-2024

You will need privileged access to check it on the DNAC/CC itself(Requries TAC token). I don't believe it is supported to make changes to SSH server ciphers on the DNAC/CC appliances either way. You can check for enabled ciphers by attempting to connect using them in OpenSSH, but it is more convenient to scan for enabled ciphers using nmap:

nmap --script ssh2-enum-algos -sV -p <port> <host>

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev

View solution in original post

Torbjørn · ‎03-20-2024

You will need privileged access to check it on the DNAC/CC itself(Requries TAC token). I don't believe it is supported to make changes to SSH server ciphers on the DNAC/CC appliances either way. You can check for enabled ciphers by attempting to connect using them in OpenSSH, but it is more convenient to scan for enabled ciphers using nmap:

nmap --script ssh2-enum-algos -sV -p <port> <host>

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev

Dale Shaw · ‎03-20-2024

Thanks for the advice Torbjorn. I have used a tool to discover if the devices are vulnerable

https://github.com/RUB-NDS/Terrapin-Scanner/releases/tag/v1.1.3

I will log a ticket with TAC to see if they can offer any further advice.

Indra_Saputra · ‎03-20-2024

Hi @Dale Shaw

I have some issue.

have you open tac with Cisco? is it any further information?

Thanks