Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
541
Views
0
Helpful
3
Replies

Audit scan of phones exposes ssh "open"

joeharb
Level 5
Level 5

‎04-18-2019 02:12 PM

An internal scan of our phones has resulted in a finding that phones reject an ssh connection when the SSH is disabled.  I would expect the phone to not respond to ssh requests if it is disabled as opposed to rejecting the connection on port 22.  Is there any way to enforce the device not to respond to ssh requests instead of rejecting them?

We have tested by enabling the ssh on a phone and we get a prompt for creds, when disabled we get a connection refused.

 

Thanks,

 

Joe

 

Labels:
0 Helpful
3 Replies 3

Mohammed al Baqari
Level 11
Level 11

‎04-18-2019 11:48 PM

Short answer is no. Use an ACL on phone ports to deny ssh ports
0 Helpful

joeharb
Level 5
Level 5
In response to Mohammed al Baqari

‎04-19-2019 06:43 AM

After more discussion the actual "vulnerability's" that are exposed are the following:

 

Dropbear SSH Multiple Security Vulnerabilities and Deprecated SSH Cryptographic Settings...

 

Per CSCug65382 there is no workaround for Dropbear and I don't think any loads have been release for phones that remove the following keys diffie-hellman-group1-sha1 cipher 3des-cbc cipher blowfish-cbc.

 

Not sure how to proceed other than the ACL.

 

 

0 Helpful

HARIS_HUSSAIN
VIP Alumni
VIP Alumni

‎04-20-2019 11:40 PM

Block the Port 22 from and to IP Phone subnet via ACL or Firewalls.

*** Please rate helpful post; Mark "Accept as a Solution" if applicable

Thanks,
Haris
0 Helpful
Customers Also Viewed These Support Documents