06-22-2022 01:20 PM
Hi We got security vulnerability issue report. We are not sure which cipher should be replaced. http/https are disabled.
Looks like ssh is related with the issue. Anyone can share some suggestions? Thank you
The switch info: CAT3K_CAA-UNIVERSALK9-M, Version 03.06.06E
Security Report says it like the below:
Ciphers using CFB of OFB
Very uncommon, and deprecated because of weaknesses compared to newer cipher chaining modes such as CTR or GCM
RC4 cipher (arcfour, arcfour128, arcfour256)
The RC4 cipher has a cryptographic bias and is no longer considered secure
Ciphers with a 64-bit block size (DES, 3DES, Blowfish, IDEA, CAST)
Ciphers with a 64-bit block size may be vulnerable to birthday attacks (Sweet32)
Key exchange algorithms using DH group 1 (diffie-hellman-group1-sha1, gss-group1-sha1-*)
DH group 1 uses a 1024-bit key which is considered too short and vulnerable to Logjam-style attacks
Key exchange algorithm "rsa1024sha1"
Very uncommon, and deprecated because of the short RSA key size
MAC algorithm "umac-32"
Very uncommon, and deprecated because of the very short MAC length
Cipher "none"
This is available only in SSHv1
Solved! Go to Solution.
06-22-2022 01:34 PM
@Leftz you should look to upgrade your IOS, version 03.06.06E is very old. The newer IOS versions will support the latest ciphers. Something like the following (if supported by your image) would be more secure.
crypto key generate rsa modulus 2048
ip ssh version 2
ip ssh client algorithm encryption aes256-ctr aes192-ctr aes128-ctr
ip ssh server algorithm encryption aes256-ctr aes192-ctr aes128-ctr
ip ssh server algorithm mac hmac-sha1
ip ssh dh min size 2048
06-22-2022 01:46 PM
@Leftz if supported by your software image, yes.
You could see if the more secure ciphers such as the following is accepted in your old IOS version:
ip ssh server algorithm mac hmac-sha2-256, hmac-sha2-512, hmac-sha1
SHA2 will be more secure than SHA1.
06-22-2022 01:34 PM
@Leftz you should look to upgrade your IOS, version 03.06.06E is very old. The newer IOS versions will support the latest ciphers. Something like the following (if supported by your image) would be more secure.
crypto key generate rsa modulus 2048
ip ssh version 2
ip ssh client algorithm encryption aes256-ctr aes192-ctr aes128-ctr
ip ssh server algorithm encryption aes256-ctr aes192-ctr aes128-ctr
ip ssh server algorithm mac hmac-sha1
ip ssh dh min size 2048
06-22-2022 01:38 PM
@Rob Ingram Thank you very much for your reply!
So the below commands should also fix the issue?
crypto key generate rsa modulus 2048
ip ssh version 2
ip ssh client algorithm encryption aes256-ctr aes192-ctr aes128-ctr
ip ssh server algorithm encryption aes256-ctr aes192-ctr aes128-ctr
ip ssh server algorithm mac hmac-sha1
ip ssh dh min size 2048
06-22-2022 01:46 PM
@Leftz if supported by your software image, yes.
You could see if the more secure ciphers such as the following is accepted in your old IOS version:
ip ssh server algorithm mac hmac-sha2-256, hmac-sha2-512, hmac-sha1
SHA2 will be more secure than SHA1.
06-22-2022 01:49 PM
Thank you very much for your nice explanation. what command can I use to show current cipher that the switch is using?
06-22-2022 01:51 PM
@Leftz use "show ip ssh"
06-22-2022 01:54 PM
Ok I got it. Thank you very much!
06-23-2022 12:58 PM
@Rob Ingram Is it possible to lose ssh connection after adding these cli? thanks
06-23-2022 01:02 PM
@Leftz yes it is possible, best to do it via console. Test the commands on a local switch, before rolling out remotely.
Ensure you are using an up to date ssh client that supports the ciphers
06-23-2022 01:16 PM
Thanks Rob. How to rolling out? I do not think reboot without save can rolling out, right?
and can I say all ciphers at client side have to cover ciphers at its server?
06-23-2022 01:33 PM
@Leftz to rollout I mean you should test all the commands above are accepted by whatever version of IOS-XE you are running on a local switch, that you have console access - confirm they work before rolling out on the remaining switches. A reboot without saving the configuration would reboot with the old settings.
Use the same client and server settings.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide