Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
504
Views
1
Helpful
3
Replies

ISE nodes - SSH hitting bug

Da ICS16
Level 1
Level 1

‎04-07-2024 07:57 PM

Dear Community,

We use ISE version 3.x and have SSH enable by default.

We reviewed with this bug article https://terrapin-attack.com/

So it have SSH enabled by default, it will impact.

Could you have alternative solution beside disabled SSH? If yes, please advise or suggestion with ISE hardening practice.

- In case we require to disable SSH. Are there any impact with ISE nodes and endpoints?

Thanks for your supporting.

 

Best Regards,

0 Helpful
3 Replies 3

marce1000
VIP
VIP

‎04-07-2024 11:55 PM

 

                           >...So it have SSH enabled by default, it will impact.
  - That's not an established fact , look for instance at https://github.com/RUB-NDS/Terrapin-Scanner
     If confirmed then contact  TAC,

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

adamscottmaster2013
Level 3
Level 3

‎04-08-2024 04:56 AM

@Da ICS16:  I had to fix this issue with my ISE 3.1 and 3.2 in my environment a few weeks ago.  According to Qualys vulnerability scan:

SSH Prefix Truncation Vulnerability (Terrapin) detected on port: 22
ChaCha20-Poly1305 Algorithm Support: True
CBC-EtM Algorithm Support: True

If you configure your ISE with the following configuration, you will resolve the chacha20 issue:

service sshd enable
service sshd encryption-algorithm aes256-ctr
service sshd encryption-mode ctr
service sshd key-exchange-algorithm ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521
service sshd loglevel 4

However, it will not get rid of the CBC issue.  This is the response from ISE when you attempt to ssh to it:

debug2: peer server KEXINIT proposal
debug2: KEX algorithms: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521
debug2: host key algorithms: ssh-rsa,rsa-sha2-256,rsa-sha2-512
debug2: ciphers ctos: aes256-cbc,aes256-ctr
debug2: ciphers stoc: aes256-cbc,aes256-ctr
debug2: MACs ctos: hmac-sha2-512,hmac-sha2-256,hmac-sha1
debug2: MACs stoc: hmac-sha2-512,hmac-sha2-256,hmac-sha1

To get rid of the CBC and hmac-sha1, you need to contact Cisco TAC and to have them modified the /etc/ssh/sshd_config file.  Keep in mind that if you upgrade or downgrade the ISE, the /etc/ssh/sshd_config file might be overwritten and you might lose those changes.

 

 

Da ICS16
Level 1
Level 1
In response to adamscottmaster2013

‎04-10-2024 02:19 AM

Dear @adamscottmaster2013 ,

let me review it.

 

Thanks,

0 Helpful
Customers Also Viewed These Support Documents