12-02-2015 11:30 PM - edited 03-11-2019 11:59 PM
Hi All,
On one of our Cisco ASA 5525 we are having OS of asa912-smp-k8.bin , but it has a BUG Related to OPEN SSH,
BUG ID: CSCul78967 and CVE ID: CVE-2008-5161, Bug Tool Shows no work around for this please share your inputs on this!!!!
https://tools.cisco.com/bugsearch/bug/CSCul78967/?referring_site=bugquickviewredir
Bug Is all about below details:
Please share your Valuable inputs...!!!!
1. SSH Weak MAC Algorithms Enabled 2. SSH Server CBC Mode Ciphers Enabled |
SSH is configured to allow MD5 and 96-bit MAC algorithms. |
12-03-2015 12:34 AM
Hi there,
For v9.1(2) ASA-OS use the comman:
no ssl <cipher>
...to disable the suite you don't want.
http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/S/cmdref3/s16.html#pgfId-1562163
cheers,
Seb.
12-03-2015 01:47 AM
Hi Shrinad,
You can run the command " show ssh sessions detail" to check which encryption and HMAC it uses for each ssh connection.
if you are above 9.1.2 there are enahancement in the SSH encryption where aes-CTR is supported. Please refer
http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/release/notes/asarn91.html#pgfId-685480
There is no workaround for this. This is different than the SSL encryption where we can disable some of the encryption.
Thanks,
Shivapramod M
Please remember to select a correct answer and rate helpful posts
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide