cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
313
Views
0
Helpful
5
Replies

Change cipher in cisco devices

zshowip
Enthusiast
Enthusiast

Hi Please see the below. Command cannot be entered in C2900 switch. Is this switch not be supported or something else? 

Thank you

2.PNG

 

A01(config)#do sh ip ssh
SSH Enabled - version 2.0
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 1024 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded):
ssh-rsa AAAAB3NzaC1yc2EAAAADndtyyuiugharwrtvvgbsyjyuiiuohjfghjr5BN0
b8Hvh9l+KJHw7GYPMGS9uCm2hdgjhdtydrutrynd5yxw==

 

1 Accepted Solution

Accepted Solutions

@zshowip apply a VTY line ACL that limits SSH access to the switch to trusted networks (IT VLANs or dedicated Jump servers etc) will reduce the attack surface. Ideally you'd replace the hardware with something newer that supports stronger ciphers.

View solution in original post

5 Replies 5

Rob Ingram
VIP Expert VIP Expert
VIP Expert

@zshowip this guide implies thats SSH ciphers is not configurable https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/12-2_40_se/configuration/guide/scg.pdf those commands would certainly work on newer IOS-XE images.

 

zshowip
Enthusiast
Enthusiast

@Rob Ingram Thank you for your reply. 

We have the below info. Is it possible to remediate the issue without upgrading ios? thanks

 

Deprecated SSH Cryptographic Settings port 22/tcp
QID:
38739
Category:
General remote services
Associated CVEs:
-
Vendor Reference
-
Bugtraq ID:
-
Service Modified:
05/26/2021
User Modified:
-
Edited:
No
PCI Vuln:
Yes
THREAT:
The SSH protocol (Secure Shell) is a method for secure remote login from one computer to another.
The target is using deprecated SSH cryptographic settings to communicate.

IMPACT:
A man-in-the-middle attacker may be able to exploit this vulnerability to record the communication to decrypt the session key and even the messages.
SOLUTION:
Avoid using deprecated cryptographic settings.
Use best practices when configuring SSH.

Refer to Security of Interactive and Automated Access Management Using Secure Shell (SSH) .

Settings currently considered deprecated:

Ciphers using CFB of OFB
Very uncommon, and deprecated because of weaknesses compared to newer cipher chaining modes such as CTR or GCM
RC4 cipher (arcfour, arcfour128, arcfour256)
The RC4 cipher has a cryptographic bias and is no longer considered secure
Ciphers with a 64-bit block size (DES, 3DES, Blowfish, IDEA, CAST)
Ciphers with a 64-bit block size may be vulnerable to birthday attacks (Sweet32)
Key exchange algorithms using DH group 1 (diffie-hellman-group1-sha1, gss-group1-sha1-*)
DH group 1 uses a 1024-bit key which is considered too short and vulnerable to Logjam-style attacks
Key exchange algorithm "rsa1024sha1"
Very uncommon, and deprecated because of the short RSA key size
MAC algorithm "umac-32"
Very uncommon, and deprecated because of the very short MAC length
Cipher "none"
This is available only in SSHv1
COMPLIANCE:
Not Applicable
EXPLOITABILITY:
There is no exploitability information for this vulnerability.
ASSOCIATED MALWARE:
There is no malware information for this vulnerability.
RESULTS:
Type Name
key exchange diffie-hellman-group1-sha1
cipher 3des-cbc

@zshowip apply a VTY line ACL that limits SSH access to the switch to trusted networks (IT VLANs or dedicated Jump servers etc) will reduce the attack surface. Ideally you'd replace the hardware with something newer that supports stronger ciphers.

MHM Cisco World
Advisor
Advisor

....

zshowip
Enthusiast
Enthusiast

Thank you!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: