06-27-2024 04:11 PM
We have a distributed ISE deployment with PAN, MNT and PSN nodes. all the ISE nodes are running on 3.2.0.542 -patch-3.We already disabled the TLS1.0 and 1.1 from the security settings but still it's listening to the tls1.0/1.1 weak cipher as per the Vulnerability report. Please see the attachment.
VM team Performed a vulnerability scan for the ISE nodes to validate TLS vulnerabilities. However, TLS 1.0 and TLS 1.1 weak ciphers are still showing. attached the vulnerability XML report. TLS 1.0 and 1.1 protocol matches are shown as True. TAC team was not able to figure it out this issue .. any suggestion ..
06-28-2024 06:11 AM
You are on ISE 3.2 Patch 3 which is 1 year old. Patch 6 is the latest. First try that. I have a hard time believing TAC never mentioned this to you.
TLS is used in a lot of different services and neither you nor your vulnerability scan provide any specifics about which ports or scenarios you or the scanner were trying to use TLS.
06-28-2024 10:43 AM
Thanks Thomas !!
ISE messaging service is enabled in the ISE. Is it possible that , this TLS1.0 and 1.1 version vulnerabilities are related to ISE messaging service ?
Vulnerability reported- TLS/SSL Weak Message Authentication Code Cipher Suites
Transport Layer Security version 1.2 and earlier include support for cipher suites which use cryptographically weak Hash-based message authentication codes (HMACs), such as MD5 or SHA1.
TAC recommended to upgrade it to 3.3 in which there is an option to disable weak ciphers. But that is not available in version-3.2
NMAP output from one ISE node as below -
PORT STATE SERVICE
443/tcp open https
| ssl-enum-ciphers:
| TLSv1.0:
| ciphers:
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 4096) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 4096) - A
| compressors:
| NULL
| cipher preference: server
| warnings:
| Key exchange (dh 2048) of lower strength than certificate key
| Key exchange (secp256r1) of lower strength than certificate key
| TLSv1.1:
| ciphers:
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 4096) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 4096) - A
| compressors:
| NULL
| cipher preference: server
| warnings:
| Key exchange (dh 2048) of lower strength than certificate key
| Key exchange (secp256r1) of lower strength than certificate key
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 4096) - A
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 4096) - A
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 4096) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 4096) - A
| TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 4096) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 4096) - A
| compressors:
| NULL
| cipher preference: server
| warnings:
| Key exchange (dh 2048) of lower strength than certificate key
| Key exchange (secp256r1) of lower strength than certificate key
|_ least strength: A
8443/tcp filtered https-alt
8444/tcp filtered pcsync-http
8905/tcp closed unknown
9094/tcp filtered unknown
9095/tcp filtered unknown
MAC Address: 02:50:41:00:00:02 (Unknown)
07-01-2024 12:44 PM
I am running ISE 3.2 patch 4 with TLS 1.0/1.1 disable and when I use nmap to scan the system, it only returns TLS v1.2:
Host is up (0.0060s latency).
PORT STATE SERVICE
443/tcp open https
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 4096) - A
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 4096) - A
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 4096) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 4096) - A
| TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A
| compressors:
| NULL
| cipher preference: server
| warnings:
| Key exchange (dh 2048) of lower strength than certificate key
| Key exchange (secp256r1) of lower strength than certificate key
|_ least strength: A
Nmap done: 1 IP address (1 host up) scanned in 1.61 seconds
I also have ISE 3.0 patch-3 system with TLS 1.0/1.1 OFF and the scan returned only TLS 1.2.
07-01-2024 07:57 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide