CISCO ASA OPEN SSH Vulnerability.

shrinad146 · ‎12-02-2015

Hi All,

On one of our Cisco ASA 5525 we are having OS of asa912-smp-k8.bin , but it has a BUG Related to OPEN SSH,

BUG ID: CSCul78967 and CVE ID: CVE-2008-5161, Bug Tool Shows no work around for this please share your inputs on this!!!!

Bug Is all about below details:

Please share your Valuable inputs...!!!!

1. SSH Weak MAC Algorithms Enabled 2. SSH Server CBC Mode Ciphers Enabled

SSH is configured to allow MD5 and 96-bit MAC algorithms.

Seb Rupik · ‎12-03-2015

Hi there,

For v9.1(2) ASA-OS use the comman:

no ssl <cipher>

...to disable the suite you don't want.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/S/cmdref3/s16.html#pgfId-1562163

cheers,

Seb.

Shivapramod M · ‎12-03-2015

Hi Shrinad,

You can run the command " show ssh sessions detail" to check which encryption and HMAC it uses for each ssh connection.

if you are above 9.1.2 there are enahancement in the SSH encryption where aes-CTR is supported. Please refer

http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/release/notes/asarn91.html#pgfId-685480

There is no workaround for this. This is different than the SSL encryption where we can disable some of the encryption.

Thanks,
Shivapramod M
Please remember to select a correct answer and rate helpful posts