I want to remediate the following vulnerabilities from the Cisco Switches and ACS which are came after scan using Nessus. Your valuable response really helps me.

** Note: The Solutions are suggested by the Nessus during Scan the device. If you want the detailed report then I ready to share the same, please write on my mail: ujchak24@in.ibm.com ***

Waiting for your kind response, please help to resolve the issues.

Vul1: SSH Server CBC Mode Ciphers Enabled: The SSH server is configured to support Cipher Block Chaining (CBC) encryption. This may allow an attacker to recover the plaintext message from the ciphertext.

Solution: Contact the vendor or consult product documentation to disable CBC mode cipher encryption, and enable CTR or GCM cipher mode encryption.

Vul2: SSH Weak MAC Algorithms Enabled: The SSH server is configured to allow either MD5 or 96-bit MAC algorithms, both of which are considered weak.

Solution: Contact the vendor or consult product documentation to disable MD5 and 96-bit MAC algorithms.

Vul3: SSL / TLS Renegotiation Handshakes MiTM Plaintext Data Injection: The remote service encrypts traffic using TLS / SSL but allows a client to insecurely renegotiate the connection after the initial handshake.

Solution: Contact the vendor for specific patch information.

Vul4: SSL Certificate Cannot Be Trusted: The server's X.509 certificate does not have a signature from a known public certificate authority. This situation can occur in three different ways, each of which results in a break in the chain below which certificates cannot be trusted.

Solution: Purchase or generate a proper certificate for this service.

Vul5: SSL Certificate Signed using Weak Hashing Algorithm: The remote service uses an SSL certificate chain that has been signed using a cryptographically weak hashing algorithm - MD2, MD4, or MD5.

Solution: Contact the Certificate Authority to have the certificate reissued.

Vul6: SSL Medium Strength Cipher Suites Supported: The remote host supports the use of SSL ciphers that offer medium strength encryption, which we currently regard as those with key lengths at least 56 bits and less than 112 bits.

Solution: Reconfigure the affected application if possible to avoid use of medium strength ciphers.

Vul7: SSL Self-Signed Certificate: The X.509 certificate chain for this service is not signed by a recognized certificate authority. If the remote host is a public host in production, this nullifies the use of SSL as anyone could establish a man-in-the-middle attack against the remote host.

Solution: Purchase or generate a proper certificate for this service.

Vul8: SSL Version 2 and 3 Protocol Detection: The remote service accepts connections encrypted using SSL 2.0 and/or SSL 3.0. These versions of SSL are affected by several cryptographic flaws. An attacker can exploit these flaws to conduct man-in-the-middle attacks or to decrypt communications between the affected service and clients.

Solution: Consult the application's documentation to disable SSL 2.0 and 3.0. Use TLS 1.1 (with approved cipher suites) or higher instead.

Vul9: SSLv3 Padding Oracle On Downgraded Legacy Encryption Vulnerability (POODLE): The remote host is affected by a man-in-the-middle (MitM) information disclosure vulnerability known as POODLE. The vulnerability is due to the way SSL 3.0 handles padding bytes when decrypting messages encrypted using block ciphers in cipher block chaining (CBC) mode. MitM attackers can decrypt a selected byte of a cipher text in as few as 256 tries if they are able to force a victim application to repeatedly send the same data over newly created SSL 3.0 connections.

Solution: Disable SSLv3. Services that must support SSLv3 should enable the TLS Fallback SCSV mechanism until SSLv3 can be disabled.

Vul10: SSL RC4 Cipher Suites Supported: The remote host supports the use of RC4 in one or more cipher suites. The RC4 cipher is flawed in its generation of a pseudo-random stream of bytes so that a wide variety of small biases are introduced into the stream, decreasing its randomness.

Solution: Reconfigure the affected application, if possible, to avoid use of RC4 ciphers. Consider using TLS 1.2 with AES-GCM suites subject to browser and web server support.

Vulnerabilities from ACS:

Vul1: SSH Server CBC Mode Ciphers Enabled: The SSH server is configured to support Cipher Block Chaining (CBC) encryption. This may allow an attacker to recover the plaintext message from the ciphertext.

Solution: Contact the vendor or consult product documentation to disable CBC mode cipher encryption, and enable CTR or GCM cipher mode encryption.

Vul2: SSL Certificate Chain Contains RSA Keys Less Than 2048 bits: At least one of the X.509 certificates sent by the remote host has a key that is shorter than 2048 bits. According to industry standards set by the Certification Authority/Browser (CA/B) Forum, certificates issued after January 1, 2014 must be at least 2048 bits.

Solution: Replace the certificate in the chain with the RSA key less than 2048 bits in length with a longer key, and reissue any certificates signed by the old certificate.

Vul3: SSL Certificate Cannot Be Trusted: The server's X.509 certificate does not have a signature from a known public certificate authority. This situation can occur in three different ways, each of which results in a break in the chain below which certificates cannot be trusted.

Solution: Purchase or generate a proper certificate for this service.

Vul4: SSL Certificate Expiry: This plugin checks expiry dates of certificates associated with SSL- enabled services on the target and reports whether any have already expired.

Solution: Purchase or generate a new SSL certificate to replace the existing one.

Vul5: SSL Self-Signed Certificate: The X.509 certificate chain for this service is not signed by a recognized certificate authority. If the remote host is a public host in production, this nullifies the use of SSL as anyone could establish a man-in-the-middle attack against the remote host.

Solution: Purchase or generate a proper certificate for this service.

Vul6: SSL Version 2 and 3 Protocol Detection: The remote service accepts connections encrypted using SSL 2.0 and/or SSL 3.0. These versions of SSL are affected by several cryptographic flaws. An attacker can exploit these flaws to conduct man-in-the-middle attacks or to decrypt communications between the affected service and clients.

Solution: Consult the application's documentation to disable SSL 2.0 and 3.0. Use TLS 1.1 (with approved cipher suites) or higher instead.

Vul7: SSLv3 Padding Oracle On Downgraded Legacy Encryption Vulnerability (POODLE): The remote host is affected by a man-in-the-middle (MitM) information disclosure vulnerability known as POODLE. The vulnerability is due to the way SSL 3.0 handles padding bytes when decrypting messages encrypted using block ciphers in cipher block chaining (CBC) mode. MitM attackers can decrypt a selected byte of a cipher text in as few as 256 tries if they are able to force a victim application to repeatedly send the same data over newly created SSL 3.0 connections.

Solution: Disable SSLv3. Services that must support SSLv3 should enable the TLS Fallback SCSV mechanism until SSLv3 can be disabled.