Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1530
Views
0
Helpful
6
Replies

ACS 5.5(0.46) - SSH vulnerability

janaranjani.g101
Level 1
Level 1

‎02-28-2017 09:13 PM - edited ‎03-11-2019 12:30 AM

Hi,

We are getting below vulnerability on Cisco ACS 5.5(0.46) in regards to SSH

Can someone help me to get Solution to avoid the same or any doc related to below vulnerability or Cisco bug for this ?

SSH Weak MAC Algorithms Enabled

The remote SSH server is configured to allow MD5 and 96-bit MAC
algorithms.

The remote SSH server is configured to allow either MD5 or 96-bit MAC
algorithms, both of which are considered weak.

Note that this plugin only checks for the options of the SSH server,
and it does not check for vulnerable software versions.

Contact the vendor or consult product documentation to disable MD5 and
96-bit MAC algorithms.

SSH Server CBC Mode Ciphers Enabled

The SSH server is configured to use Cipher Block Chaining.

The SSH server is configured to support Cipher Block Chaining (CBC)
encryption. This may allow an attacker to recover the plaintext message
from the ciphertext.

Note that this plugin only checks for the options of the SSH server and
does not check for vulnerable software versions.

Contact the vendor or consult product documentation to disable CBC mode
cipher encryption, and enable CTR or GCM cipher mode encryption.
Labels:
0 Helpful
6 Replies 6

Marvin Rhoads
Hall of Fame
Hall of Fame

‎02-28-2017 11:19 PM

I don't see them obviously identified on the later release notes or BugIDs. Do you have the CVE numbers for those two vulnerabilities?

In general though, you have the option of disabling the ssh service altogether and using a physical or virtual console when you need cli access. Instructions for doing so can be found here:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCur00511/

0 Helpful

janaranjani.g101
Level 1
Level 1
In response to Marvin Rhoads

‎02-28-2017 11:32 PM

Hi,

Thanks for your reply.

We have got only one CVE no. CVE-2008-5161 (for SSH Server CBC Mode Ciphers Enabled) and the bug ID for this is CSCup58251. We did not get the CVE no. for SSH Weak MAC Algorithms Enabled.

But i don't see any workaround or patch released with bug fix for the same. 

Is there any other option to overcome this vulnerability?

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to janaranjani.g101

‎02-28-2017 11:51 PM

Under that one BugID you have, I don't see ACS 5.8 as affected (although the release notes don't specifically mention it) so you might try upgrading to ACS 5.8.

If you have doubt, your best course of action would be to open a TAC case for confirmation. If you do not have a support contract, the vulnerability scanning resdults might be a good reason to make the case for your comapny buying that support.

Also be advised that ACS end of sale has been announced. Reference:

http://www.cisco.com/c/en/us/products/collateral/security/secure-access-control-system/eos-eol-c51-738197.html

0 Helpful

janaranjani.g101
Level 1
Level 1
In response to Marvin Rhoads

‎03-01-2017 12:19 AM

Hi,

Thanks for your replies. 

We have raised SR with TAC and revert awaited. Will keep posted

0 Helpful

anil.kumark
Level 1
Level 1
In response to janaranjani.g101

‎03-05-2019 03:43 AM

Hi All,

 

What was the TAC response, which ACS version are affected and whether any patch released as a fix?

 

Also would like to know if ACS 5.8.0.32 is affected with this?

 

Thanks

Anil

 

 

0 Helpful

anil.kumark
Level 1
Level 1
In response to janaranjani.g101

‎03-05-2019 03:44 AM

Hi All,

 

We are running ACS 5.8.0.32 on a VM environment and would like to know if this vulnerability is still active and affected?

 

Thanks

Anil

0 Helpful
Customers Also Viewed These Support Documents