Re: Disable weak cipher and TLS on CISCO Firepower Management Center

Taro-AB81 · ‎05-04-2020

We are using CISCO Firepower Management Center for VMWare with software version 6.1.0.3 (build 57) and Software Version 6.2.3.14 (build 41). During our VAPT assessment it’s been detected that this use weak cipher and TLS. I did login via web browser and went through the settings but not able to locate where to disable it. Could you please advice on this.

Thank you.

Rob Ingram · ‎05-04-2020

Hi,

SSL/TLS settings are configured under Platform Settings, reference here. You should probably consider upgrading 6.1 and 6.2 as they are very outdated.

From FTD 6.6 allows you to configure DTLS 1.2 if using SSL/TLS VPN.

HTH

Taro-AB81 · ‎05-07-2020

Hi,

Thanks for the reply. But under platform i do not see a separate option for SSL settings. i have attached a screenshot. To be specific on the issue im facing, following is the vulnerability that been reported. (SSL Cipher Block Chaining Cipher Suites Supported - 443)

Marvin Rhoads · ‎05-09-2020

The platform settings mentioned earlier apply to managed devices. You will see additional options for them on later releases of FMC.

For FMC itself, you need to upgrade the version to get stronger cipher and TLS 1.2 support. FMC 6.5 disabled TLS 1.0 and 1.1. Here is a scan of an FMC 6.6 server:

nmap -sV --script ssl-enum-ciphers -p 443 <host>
starting Nmap 7.80 ( https://nmap.org ) at 2020-05-09 19:48 Malay Peninsula Standard Time
Nmap scan report for fmc.ccielab.mrneteng.com (172.31.1.10)
Host is up (0.00s latency).

PORT STATE SERVICE VERSION
443/tcp open ssl/http Apache httpd
|_http-server-header: Apache
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 4096) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 4096) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 4096) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 4096) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
| compressors:
| NULL
| cipher preference: server
| warnings:
| Key exchange (secp256r1) of lower strength than certificate key
|_ least strength: A
MAC Address: 00:0C:29:EF:2F:0F (VMware)

Taro-AB81 · ‎05-09-2020

Hi Marvin,
Thanks a lot for your reply. I will propose to upgrade to latest version. meanwhile do u think allowing only trusted IP connection via access list will secure the device?
As shown in my attachment earlier, currently it sets to any.

Marvin Rhoads · ‎05-09-2020

Yes, restricting the management access to subnets where authorized management users are located can help - assuming this is consistent with your network operations model. It may require using a jumpbox for certain use cases - for instance if you want network admins to be able to access FMC when they are connected to the network via VPN and the VPN addresses are shared with non-admins.

alex.f. · ‎02-04-2022

Hi Marvin,

I am currently running 7.0.1 on our FMC but I can not find any Information where to configure TLS cipher for the FMC it self.

Do you know where?

kind regards

Alex

Marvin Rhoads · ‎02-05-2022

@alex.f. The FMC ciphersuite is not configurable. As I mentioned in my earlier post, upgrading to newer releases changes the ciphers used by FMC.

MaErre21325 · ‎03-07-2022

Hello @Marvin Rhoads,

Will enabling tls1.2 create some disruption on active client to site vpn via anyconnect or will the new parameter be taken at the new connection?
Should we expect a global disconnection or the new parameter is simply enabled for all new client to lan sessions?

thanks
hello

Rob Ingram · ‎03-07-2022

@MaErre21325 TLS on the FMC has no bearing on a Client to Site VPN via anyconnect, the clients connect to the FTD.

If you've got more questions create a new thread rather than potentially highjacking this thread.

Marvin Rhoads · ‎04-14-2023

Updating this old thread, FMC still does not allow you to natively disable weak ciphers.

I had a customer who requested I dig deeper to address an audit finding and found that FMC relies on the Apache web server and we can manage the configuration file it uses to restrict available ciphers. The file is /etc/httpd/httpsd.conf. It has a section as follows:

SSLCipherSuite DHE-DSS-AES256-SHA:AES256-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES128-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384

I edited my lab FMC to make the following change:

SSLCipherSuite DHE-DSS-AES256-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:DHE-DSS-AES128-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384

(removing the “insecure” ciphers). After making the change with vi (must be root user first), I restarted the FMC from clish using "system restart" and see that fewer ciphers are accepted, removing the ones their scanning service considers insecure.

Scan before:

Scan after:

Use at your own risk but it doesn't appear to break anything on my FMC 7.4.

NOTE: It may be necessary to reapply the fix after any upgrades.

kpyle · ‎02-09-2024

I keep getting this result in Rapid7 scans which brought me to this feed. I'm running the currently the recommended 7.2.5 version of FDM. One thing I am concerned about is that this is a security device which has the capability to inspect traffic including decrypting SSL/TLS with a known key. Wouldn't removing the device's ability to decipher weak TLS also hamper its ability to inspect traffic and decrease the security provided by the device? I would think the main concern is that weak cyphers aren't used to connect to the management interfaces of the device. I'm considering testing this by limiting a computer to only using one of the weak cyphers and trying to connect via the management interface of the router. If I can connect then maybe there is value in going through the steps above, if not then perhaps this is a false reading on the part of the scanner which is only looking at the fact that the weak cypher exists on the device and not how its used. I could be thinking about this all wrong.

Marvin Rhoads · ‎02-11-2024

The instructions for disabling weak ciphers only affects traffic that is TO the device itself. It doesn't affect traffic THROUGH the device - including SSL decryption, inspection etc.

kpyle · ‎02-14-2024

I've tried to putty in and use expert mode to find and change the config file listed above. Apparently on 7.2.5 they have moved the ciphers, and they don't appear in that file anymore. So, I'm going to have to do some more digging when I get some time. I'd like to point out though that anyone scanning their environment and eliminating weak ciphers has most likely already eliminated those ciphers from every computer that would be connecting to the device via the management interface anyway. It's kind of dumb on Cisco's part to continue making these ciphers frustrating and difficult to change.

Marvin Rhoads · ‎02-15-2024

The SSLCipherSuite section is still in my FMC 7.4.1 httpsd.conf file.

They keep the older cipher compatibility in place to give the greatest client compatibility. Any modern client will negotiation a mutually acceptable strong cipher. I have not had any issues disabling the old ones to make my clients'

auditors happy though.