Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3950
Views
0
Helpful
8
Replies

Vulnerability regarding the SSH on Cisco BE6K server

Go to solution
nithin louis
Level 1
Level 1

‎04-27-2017 02:03 AM - edited ‎03-17-2019 10:10 AM

Hi Team,

Our client ordered penetration test, and as a feedback they got recommendation on the Cisco UCS BE6K server "The remote SSH server is configured to allow weak encryption algorithms or no algorithm at all".

Please review the below mentioned updates which we got from the penetration test team.


Is there any way by which we can change the algorithms used between SSH server and client ?.

Thanks & Regards
Nithin Louis.

Vulnerability Name Vulnerability Impact SOLUTION Additional Information
SSH Weak Algorithms Supported The remote SSH server is configured to allow weak encryption algorithms or no algorithm at all. Contact the vendor or consult product documentation to remove the weak ciphers.
The following weak server-to-client encryption algorithms are supported :

  arcfour
  arcfour128
  arcfour256

The following weak client-to-server encryption algorithms are supported :

  arcfour
  arcfour128
  arcfour256
1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
HARIS_HUSSAIN
VIP Alumni
VIP Alumni
In response to HARIS_HUSSAIN

‎04-27-2017 02:50 AM

Have a look at below bug

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCur26594/?referring_site=bugquickviewredir

View solution in original post

0 Helpful
8 Replies 8

Go to solution
HARIS_HUSSAIN
VIP Alumni
VIP Alumni

‎04-27-2017 02:24 AM

When you say 

SSH on Cisco BE6K

You mean ssh to CIMC or ESXi or CUCM ?

0 Helpful

Go to solution
nithin louis
Level 1
Level 1
In response to HARIS_HUSSAIN

‎04-27-2017 02:39 AM

Hi Haris,

Thanks for your reply.

I mean SSH to CUCM.....

Regards

Nithin Louis.

0 Helpful

Go to solution
HARIS_HUSSAIN
VIP Alumni
VIP Alumni
In response to nithin louis

‎04-27-2017 02:48 AM

Can you get the CVE Number for this Vulnerability.

0 Helpful

Go to solution
HARIS_HUSSAIN
VIP Alumni
VIP Alumni
In response to HARIS_HUSSAIN

‎04-27-2017 02:50 AM

Have a look at below bug

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCur26594/?referring_site=bugquickviewredir

0 Helpful

Go to solution
nithin louis
Level 1
Level 1
In response to HARIS_HUSSAIN

‎04-27-2017 02:58 AM

Hi Haris,

Thanks for your quick response.

As per this doc there is no workaround for this issue.

SSH Client and Keys Vulnerabilities
CSCur26594
Description
Symptoms:
Cisco Unified Communications Manager includes a version of OpenSSH that is affected by the vulnerabilities identified by the
following Common Vulnerability and Exposures (CVE) IDs:

CVE-2014-2653, CVE-2014-2532

This bug was opened to address the potential impact on this product.

Conditions:
Device with default configuration.

Workaround:
Not currently available.
Anyways I have opened a PDI for the same lets wait what their suggestion on this.
Regards
Nithin Louis.
0 Helpful

Go to solution
HARIS_HUSSAIN
VIP Alumni
VIP Alumni
In response to nithin louis

‎04-27-2017 03:06 AM

As per the Bug  only option to fix this vulnerability is to upgrade to fixed Version of CUCM.

Last Modified:
Dec 7,2015
Status:
Fixed
Severity:
3 Moderate
Product:
(3)
Cisco Unified Communications Manager (CallManager)
Cisco Unity Connection Version 7.1
Cisco Unified Communications Manager Version 7.1
Support Cases:
3
Known Affected Releases:
(2)
10.5(1.98000.99)
7.1(5)
Known Fixed Releases:
(6)
11.5(0.98000.126)
11.0(0.98100.18)
11.0(0.98000.89)
10.5(2.10000.5)
10.5(1.98000.445)
10.5(1.98000.366)
Download software for  Cisco Unified Communications Manager (CallManager)
0 Helpful

Go to solution
nithin louis
Level 1
Level 1
In response to HARIS_HUSSAIN

‎04-27-2017 02:54 AM

Hi Haris,

Please review the below updates which we got from the Vulnerability test for the BE6K server.

Thanks & Regards

Nithin

 

S.No

Affected IPs

Vulnerability Name

Vulnerability Impact

Affected Port

CVSS Base Score

CVSS ID

Severity

 

SOLUTION

Additional Information

UCM

4511

172.16.175.11

SSH Weak Algorithms Supported

The remote SSH server is configured to allow weak encryption algorithms or no algorithm at all.

22

4.3

-

Medium

Pending

Contact the vendor or consult product documentation to remove the weak ciphers.


The following weak server-to-client encryption algorithms are supported :

  arcfour
  arcfour128
  arcfour256

The following weak client-to-server encryption algorithms are supported :

  arcfour
  arcfour128
  arcfour256
0 Helpful

Go to solution
HARIS_HUSSAIN
VIP Alumni
VIP Alumni
In response to nithin louis

‎04-27-2017 03:03 AM

Try to get the Exact CVE Number from the audit team that will help to narrow down the Issue.

Also have a look at below bugs

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuy51220/?referring_site=bugquickviewredir

0 Helpful
Customers Also Viewed These Support Documents