cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
916
Views
0
Helpful
3
Replies

DNA center SSH server ciphers

Dale Shaw
Level 1
Level 1

Hi, it has been raised following a penetration scan that the DNA center nodes could be susceptible to a terrapin attack caused by potentially using 'ChaCha20-Poly1305 or CBC with Encrypt-then-MAC' ciphers on the SSH server.

I'm wondering if there is a way to check the configured ciphers on the SSH server in the DNA center.  And if they are in use how do configure it so that are removed from being used.

Thanks for your help

 

1 Accepted Solution

Accepted Solutions

Torbjørn
Spotlight
Spotlight

You will need privileged access to check it on the DNAC/CC itself(Requries TAC token). I don't believe it is supported to make changes to SSH server ciphers on the DNAC/CC appliances either way. You can check for enabled ciphers by attempting to connect using them in OpenSSH, but it is more convenient to scan for enabled ciphers using nmap: 

nmap --script ssh2-enum-algos -sV -p <port> <host>

 

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev

View solution in original post

3 Replies 3

Torbjørn
Spotlight
Spotlight

You will need privileged access to check it on the DNAC/CC itself(Requries TAC token). I don't believe it is supported to make changes to SSH server ciphers on the DNAC/CC appliances either way. You can check for enabled ciphers by attempting to connect using them in OpenSSH, but it is more convenient to scan for enabled ciphers using nmap: 

nmap --script ssh2-enum-algos -sV -p <port> <host>

 

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev

Thanks for the advice Torbjorn.  I have used a tool to discover if the devices are vulnerable 

https://github.com/RUB-NDS/Terrapin-Scanner/releases/tag/v1.1.3

I will log a ticket with TAC to see if they can offer any further advice.

 

 

Indra_Saputra
Level 1
Level 1

Hi @Dale Shaw 

I have some issue. 

have you open tac with Cisco? is it any further information?

Thanks

Review Cisco Networking for a $25 gift card