Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3485
Views
0
Helpful
3
Replies

Cisco ISE 2.1 - SSH Server CBC Mode Ciphers Enabled

Go to solution
PedroDias1994
Level 1
Level 1

‎04-15-2020 02:41 AM

Hi,

 

After a Nessus scan, the report shows a vulnerability (Low) saying SSH Server CBC Mode Ciphers Enabled.

 

From other discussions, I can see two solutions, but both are for Cisco ISE 2.4 (and specific patches) and above:

1. service sshd encryption-mode ctr

2. service sshd encryption-algorithm aes128-ctr aes256-ctr

 

I have a Cisco ISE 2.1 implementation and my question is if there is any possibility to solve this vulnerability, since none of the commands above are acceptable...

 

Thank you for your help :)

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
poongarg
Cisco Employee
Cisco Employee

‎04-15-2020 04:17 AM

Hello Pedro,

 

From ISE 2.2 onwards, we have option to configure "service sshd encryption algorithm command" but not on ISE 2.1.

There is a defect CSCum13116 :Need ISE to Support aes256-ctr, aes256-ctr cipher for ISE as SSH client

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCum13116

This introduce the behavior change in ISE 2.7, where CBC ciphers as default will no longer be supported.

 

To disable CBC mode Ciphers on ISE 2.1, kindly open TAC case to apply the workaround of this defect, which need root access to the ISE node. Workaround need to be applied on all the nodes in the deployment.

 

 

 

View solution in original post

0 Helpful
3 Replies 3

Go to solution
PedroDias1994
Level 1
Level 1

‎04-15-2020 02:48 AM

From the Cisco ISE CLI Reference Guide, Release 2.1 I can see the Syntax Options on the attachment, but none are the same as the commands I mentioned above...

Preview file
54 KB
0 Helpful

Go to solution
poongarg
Cisco Employee
Cisco Employee

‎04-15-2020 04:17 AM

Hello Pedro,

 

From ISE 2.2 onwards, we have option to configure "service sshd encryption algorithm command" but not on ISE 2.1.

There is a defect CSCum13116 :Need ISE to Support aes256-ctr, aes256-ctr cipher for ISE as SSH client

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCum13116

This introduce the behavior change in ISE 2.7, where CBC ciphers as default will no longer be supported.

 

To disable CBC mode Ciphers on ISE 2.1, kindly open TAC case to apply the workaround of this defect, which need root access to the ISE node. Workaround need to be applied on all the nodes in the deployment.

 

 

 
0 Helpful

Go to solution
PedroDias1994
Level 1
Level 1
In response to poongarg

‎04-15-2020 04:20 AM

Hi Poongarg,

 

Thank you very much for your reply and solution!

I will proceed accordingly.

 

Regards,

PD

0 Helpful
Customers Also Viewed These Support Documents