SSH Weak Key Exchange Algorithms Enabled - Nessus Scan

Loureiro · ‎09-15-2023

After scanning the nessus scanner, on the Catalyst 3560 and 3750 equipment, the vulnerability SSH Weak Key Exchange Algorithms Enabled was identified, however it was not found on the equipment how to resolve the problem, some attempts were made but were unsuccessful, here is what was done until now:

An attempt was made to include the options that the equipment provides, but without success:

ip http secure-ciphersuite ?
3des-ede-cbc-sha Encryption type ssl_rsa_with_3des_ede_cbc_sha ciphersuite
des-cbc-sha Encryption type ssl_rsa_with_des_cbc_sha ciphersuite
rc4-128-md5 Encryption type ssl_rsa_with_rc4_128_md5 ciphersuite
rc4-128-sha Encryption type ssl_rsa_with_rc4_128_sha ciphersuite

The following features have already been disabled:

no ip http server
no ip http secure-server

I am using the version WS-C3560V2-24PS 12.2(55)SE12 e WS-C3750V2-48PS-S 12.2(55)SE12.

balaji.bandi · ‎09-16-2023

When you scan that looks for me its getting the weak keys from SSH not from your https (by disabling the https not going to solve)

Configure the SSH to SSH v2 (make sure RSA keys 2048 or above o get more secure)

below command give you more information :

show ssh

show ip ssh

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Loureiro · ‎09-18-2023

sho ssh
%No SSHv1 server connections running.
Connection Version Mode Encryption Hmac State Username
0 2.0 IN aes256-cbc hmac-sha1 Session started fernando.loureiro
0 2.0 OUT aes256-cbc hmac-sha1 Session started fernando.loureiro

#sh ip ssh
SSH Enabled - version 2.0
Authentication timeout: 110 secs; Authentication retries: 2

SSH Weak Key Exchange Algorithms Enabled - Nessus Scan

Quick links