Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4362
Views
15
Helpful
5
Replies

Cisco ISE 2.7 SSL/TLS Vulnerabilities Remediation port 8084

jj2048
Level 1
Level 1

‎08-21-2020 04:17 AM - edited ‎08-21-2020 05:02 AM

Overview:

I got a customer who conducts VA scan to every new network device that is going to be implemented to the network.
Recently on Cisco ISE, the customer presented me 5 vulnerabilities to remediate.

Namely:

-SSL/TLS Server Support TLSv1.0 Ports 8443 to 8445 (3 counts) | ports 8443 to 8445 / tcp over SSL
-SSL/TLS use of weak RC4(Arcfour) cipher (1 count) | port 8084/tcp over SSL
-Birthday attacks against TLS ciphers with 64bit block size vulnerability (Sweet32) (1 count) | port 8084 / tcp over SSL

I was able to remediate the first 3 counts by disabling TLSv1.0 and TLSv1.1 on Administration > System > Settings > Security Settings.

The remaining 2; SSL/TLS use of weak RC4(Arcfour) cipher and Birthday attacks against TLS ciphers with 64bit block size vulnerability (Sweet32), was not able to remediate.

So I build up a network in our lab consisting of Cisco ISE, Switch, DNS, a SUBCA, NTP, and etc. basically all network elements needed for ISE.

I succeeded replicating the scenario using their VA scanner as well "Qualys".

But I failed to look for the settings to remediate the port 8084 / tcp over SSL (Sweet32) and (RC4 cipher) vulnerabilities.

Question:

Does anybody know where I can remediate the remaining vulnerabilities

-SSL/TLS use of weak RC4(Arcfour) cipher / 8084 tcp over SSL
-Birthday attacks against TLS ciphers with 64bit block size vulnerability (Sweet32) /  8084 tcp over SSL

Solutions on qualys report

-RC4 should not be used where possible. One reason that RC4(Arcfour) was still being used was BEAST and Lucky13 attacks against CBC mode ciphers in SSL and TLS. However, TLSv 1.2 or later address these issues.

-Disable and stop using DES, 3DES, IDEA or RC2 ciphers.

I tried to check the reference ports on Cisco ISE, 8084 is in BYOD, but failed to locate what settings I should change.

Thank you in advance.

0 Helpful
5 Replies 5

hslai
Cisco Employee
Cisco Employee

‎08-21-2020 11:36 PM

This is for the EST service, which is used for BYOD Android 6.0+. If you are not using ISE BYOD for Android 6.0+, you may use an external firewall to block this port.

I will check with our team further.

jj2048
Level 1
Level 1
In response to hslai

‎08-22-2020 04:24 AM

Hi, hslai.

Thank you for looking into it, as well the additional info you provided, I'll look into all the settings I could find if I can remediate this port 8084.

Right now my goal is to at least apply the solutions presented on the qualys scanner, by enabling TLSv1.2 on this specific port if possible.

Is there a way to disable BYOD or the 8084 on Cisco ISE rather than using an externam firewall?

Right now there are no plans yet on using BYOD.

If all else are not possible, I'll be writing an exemption letter to proceed with the project.

Thank you.

0 Helpful

hslai
Cisco Employee
Cisco Employee
In response to jj2048

‎08-24-2020 11:14 PM

CSCvv49403 open to track this.

This EST service is not configurable to be ON/OFF. If urgent, please open a TAC case and ask for a hot patch.

 

jj2048
Level 1
Level 1
In response to hslai

‎08-25-2020 04:06 PM

Hi, hslai.

 

I'm not able to open the link. You provided.
Thanks for your assistance, very helpful to know that this is not configurable.
I'll write a report for now regarding the vulnerability.

Thank you.

0 Helpful

mumustha
Cisco Employee
Cisco Employee
In response to jj2048

‎06-21-2022 07:51 AM

CSCvv49403 this should help

0 Helpful
Customers Also Viewed These Support Documents