cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4298
Views
0
Helpful
8
Replies

Vulnerability regarding the SSH on Cisco BE6K server

nithin louis
Level 1
Level 1

Hi Team,

Our client ordered penetration test, and as a feedback they got recommendation on the Cisco UCS BE6K server "The remote SSH server is configured to allow weak encryption algorithms or no algorithm at all".

Please review the below mentioned updates which we got from the penetration test team.


Is there any way by which we can change the algorithms used between SSH server and client ?.

Thanks & Regards
Nithin Louis.

Vulnerability Name Vulnerability Impact SOLUTION Additional Information
SSH Weak Algorithms Supported The remote SSH server is configured to allow weak encryption algorithms or no algorithm at all. Contact the vendor or consult product documentation to remove the weak ciphers.
The following weak server-to-client encryption algorithms are supported :

  arcfour
  arcfour128
  arcfour256

The following weak client-to-server encryption algorithms are supported :

  arcfour
  arcfour128
  arcfour256
1 Accepted Solution

Accepted Solutions

Have a look at below bug

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCur26594/?referring_site=bugquickviewredir

View solution in original post

8 Replies 8

HARIS_HUSSAIN
VIP Alumni
VIP Alumni

When you say 

SSH on Cisco BE6K

You mean ssh to CIMC or ESXi or CUCM ?

Hi Haris,

Thanks for your reply.

I mean SSH to CUCM.....

Regards

Nithin Louis.

Can you get the CVE Number for this Vulnerability.

Have a look at below bug

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCur26594/?referring_site=bugquickviewredir

Hi Haris,

Thanks for your quick response.

As per this doc there is no workaround for this issue.

SSH Client and Keys Vulnerabilities
CSCur26594
Description
Symptoms:
Cisco Unified Communications Manager includes a version of OpenSSH that is affected by the vulnerabilities identified by the
following Common Vulnerability and Exposures (CVE) IDs:

CVE-2014-2653, CVE-2014-2532

This bug was opened to address the potential impact on this product.

Conditions:
Device with default configuration.

Workaround:
Not currently available.
Anyways I have opened a PDI for the same lets wait what their suggestion on this.
Regards
Nithin Louis.

As per the Bug  only option to fix this vulnerability is to upgrade to fixed Version of CUCM.

Last Modified:
Dec 7,2015
Status:
Fixed
Severity:
3 Moderate
Product:
(3)
Cisco Unified Communications Manager (CallManager)
Cisco Unity Connection Version 7.1
Cisco Unified Communications Manager Version 7.1
Support Cases:
3
Known Affected Releases:
(2)
10.5(1.98000.99)
7.1(5)
Known Fixed Releases:
(6)
11.5(0.98000.126)
11.0(0.98100.18)
11.0(0.98000.89)
10.5(2.10000.5)
10.5(1.98000.445)
10.5(1.98000.366)

Hi Haris,

Please review the below updates which we got from the Vulnerability test for the BE6K server.

Thanks & Regards

Nithin

 

S.No

Affected IPs

Vulnerability Name

Vulnerability Impact

Affected Port

CVSS Base Score

CVSS ID

Severity

 

SOLUTION

Additional Information

UCM

4511

172.16.175.11

SSH Weak Algorithms Supported

The remote SSH server is configured to allow weak encryption algorithms or no algorithm at all.

22

4.3

-

Medium

Pending

Contact the vendor or consult product documentation to remove the weak ciphers.


The following weak server-to-client encryption algorithms are supported :

  arcfour
  arcfour128
  arcfour256

The following weak client-to-server encryption algorithms are supported :

  arcfour
  arcfour128
  arcfour256

Try to get the Exact CVE Number from the audit team that will help to narrow down the Issue.

Also have a look at below bugs

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuy51220/?referring_site=bugquickviewredir