03-20-2024 03:28 AM
Hi, it has been raised following a penetration scan that the DNA center nodes could be susceptible to a terrapin attack caused by potentially using 'ChaCha20-Poly1305 or CBC with Encrypt-then-MAC' ciphers on the SSH server.
I'm wondering if there is a way to check the configured ciphers on the SSH server in the DNA center. And if they are in use how do configure it so that are removed from being used.
Thanks for your help
Solved! Go to Solution.
03-20-2024 04:28 AM
You will need privileged access to check it on the DNAC/CC itself(Requries TAC token). I don't believe it is supported to make changes to SSH server ciphers on the DNAC/CC appliances either way. You can check for enabled ciphers by attempting to connect using them in OpenSSH, but it is more convenient to scan for enabled ciphers using nmap:
nmap --script ssh2-enum-algos -sV -p <port> <host>
03-20-2024 04:28 AM
You will need privileged access to check it on the DNAC/CC itself(Requries TAC token). I don't believe it is supported to make changes to SSH server ciphers on the DNAC/CC appliances either way. You can check for enabled ciphers by attempting to connect using them in OpenSSH, but it is more convenient to scan for enabled ciphers using nmap:
nmap --script ssh2-enum-algos -sV -p <port> <host>
03-20-2024 09:54 AM
Thanks for the advice Torbjorn. I have used a tool to discover if the devices are vulnerable
https://github.com/RUB-NDS/Terrapin-Scanner/releases/tag/v1.1.3
I will log a ticket with TAC to see if they can offer any further advice.
03-20-2024 11:23 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide