cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1596
Views
0
Helpful
6
Replies

ACS 5.5(0.46) - SSH vulnerability

Hi,

We are getting below vulnerability on Cisco ACS 5.5(0.46) in regards to SSH

Can someone help me to get Solution to avoid the same or any doc related to below vulnerability or Cisco bug for this ?

SSH Weak MAC Algorithms Enabled

The remote SSH server is configured to allow MD5 and 96-bit MAC
algorithms.

The remote SSH server is configured to allow either MD5 or 96-bit MAC
algorithms, both of which are considered weak.

Note that this plugin only checks for the options of the SSH server,
and it does not check for vulnerable software versions.

Contact the vendor or consult product documentation to disable MD5 and
96-bit MAC algorithms.

SSH Server CBC Mode Ciphers Enabled

The SSH server is configured to use Cipher Block Chaining.

The SSH server is configured to support Cipher Block Chaining (CBC)
encryption. This may allow an attacker to recover the plaintext message
from the ciphertext.

Note that this plugin only checks for the options of the SSH server and
does not check for vulnerable software versions.

Contact the vendor or consult product documentation to disable CBC mode
cipher encryption, and enable CTR or GCM cipher mode encryption.

6 Replies 6

Marvin Rhoads
Hall of Fame
Hall of Fame

I don't see them obviously identified on the later release notes or BugIDs. Do you have the CVE numbers for those two vulnerabilities?

In general though, you have the option of disabling the ssh service altogether and using a physical or virtual console when you need cli access. Instructions for doing so can be found here:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCur00511/

Hi,

Thanks for your reply.

We have got only one CVE no. CVE-2008-5161 (for SSH Server CBC Mode Ciphers Enabled) and the bug ID for this is CSCup58251. We did not get the CVE no. for SSH Weak MAC Algorithms Enabled.

But i don't see any workaround or patch released with bug fix for the same. 

Is there any other option to overcome this vulnerability?

Under that one BugID you have, I don't see ACS 5.8 as affected (although the release notes don't specifically mention it) so you might try upgrading to ACS 5.8.

If you have doubt, your best course of action would be to open a TAC case for confirmation. If you do not have a support contract, the vulnerability scanning resdults might be a good reason to make the case for your comapny buying that support.

Also be advised that ACS end of sale has been announced. Reference:

http://www.cisco.com/c/en/us/products/collateral/security/secure-access-control-system/eos-eol-c51-738197.html

Hi,

Thanks for your replies. 

We have raised SR with TAC and revert awaited. Will keep posted

Hi All,

 

What was the TAC response, which ACS version are affected and whether any patch released as a fix?

 

Also would like to know if ACS 5.8.0.32 is affected with this?

 

Thanks

Anil

 

 

Hi All,

 

We are running ACS 5.8.0.32 on a VM environment and would like to know if this vulnerability is still active and affected?

 

Thanks

Anil