Solved: Re: Disabling TLS v1.1 at sw - (2)

Leftz · ‎02-20-2023

Hi

This post is following the below link. The question is after changing TLS version, the security vulnerability report is same as before, meaning the change did not remediate the issue. Even if the http and https were disabled, the issue is still existing. The report message is posted as below. Anyone has some suggestions? Thank you very much.

https://community.cisco.com/t5/network-access-control/disabling-tls-v1-1-at-sw/td-p/4774454

----------------------------------------------------------------

172.16.10.10 IP Ubuntu/Linux host scanned, found vuln 38794 Secure Sockets Layer/Transport Layer Security (SSL/TLS) Server Supports Transport Layer Security (TLSv1.1) Active Vuln 3 443 tcp over ssl 44770.46245 44920.88127 29 Deprecating TLS 1.0 and TLS 1.1 0 2.6 (AV:N/AC:H/Au:N/C:P/I:N/A:N) 2.2 (E:U/RL:U/RC:C) Asset Group: Network Devices - US Network Devices - Austin, Collateral Damage Potential: None, Target Distribution: None, Confidentiality Requirement: , Integrity Requirement: , Availability Requirement: 3.4 3.7 (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) 3.4 (E:U/RL:U/RC:C) "Disable the use of TLSv1.1 protocol in favor of a cryptographically stronger protocol such as TLSv1.2.

The following openssl commands can be used to do a manual test:

openssl s_client -connect ip:port -tls1_1

If the test is successful, then the target support TLSv1.1" TLSv1.1 is supported# no General remote services 25 338 5

Rob Ingram · ‎02-20-2023

@Leftz if you http and https is disabled and you run openssl to test, then you should get Connection refused.

rob@ubuntu-1:~$ openssl s_client -connect 192.168.10.2:443 -tls1_2
140579900519744:error:0200206F:system library:connect:Connection refused:../crypto/bio/b_sock2.c:110:
140579900519744:error:2008A067:BIO routines:BIO_connect:connect error:../crypto/bio/b_sock2.c:111:
connect:errno=111

rob@ubuntu-1:~$ openssl s_client -connect 192.168.10.2:443 -tls1_1
139857395860800:error:0200206F:system library:connect:Connection refused:../crypto/bio/b_sock2.c:110:
139857395860800:error:2008A067:BIO routines:BIO_connect:connect error:../crypto/bio/b_sock2.c:111:
connect:errno=111

Can you confirm http is definately disabled

no ip http server
no ip http secure-server

Run "show run | inc tls" and confirm only TLS 1.2 is configured.

C3850(config)#do show run | inc tls
ip http tls-version TLSv1.2

You can confirm what the TLS version the switch configured to use using NMAP, as below

rob@ubuntu-1:~$ nmap -sV --script ssl-enum-ciphers -p 443 <ip address>
Starting Nmap 7.80 ( https://nmap.org ) at 2023-02-20 17:26 UTC
Nmap scan report for 192.168.10.2
Host is up (0.0032s latency).

PORT STATE SERVICE VERSION
443/tcp open ssl/http nginx
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 4096) - A
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 4096) - A
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 4096) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 4096) - A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
| compressors:
| NULL
| cipher preference: server
| warnings:
| Weak certificate signature: SHA1
|_ least strength: A

View solution in original post

Rob Ingram · ‎02-21-2023

@Leftz no i do not believe there is a cisco command.

The configuration certainly seems to confirm neither http/https is enabled and only TLS1.2 is configured, this mirrored my switch when I run the above tests to replicate your scenario.

You can run both openssl and nmap on windows if you don't have linux to run your own tests. Then get your vulnerability scanner to re-run the test again.

View solution in original post

Rob Ingram · ‎02-23-2023

@Leftz if disabled, I'd say the device will not be exploitable

View solution in original post

Rob Ingram · ‎02-20-2023

@Leftz if you http and https is disabled and you run openssl to test, then you should get Connection refused.

rob@ubuntu-1:~$ openssl s_client -connect 192.168.10.2:443 -tls1_2
140579900519744:error:0200206F:system library:connect:Connection refused:../crypto/bio/b_sock2.c:110:
140579900519744:error:2008A067:BIO routines:BIO_connect:connect error:../crypto/bio/b_sock2.c:111:
connect:errno=111

rob@ubuntu-1:~$ openssl s_client -connect 192.168.10.2:443 -tls1_1
139857395860800:error:0200206F:system library:connect:Connection refused:../crypto/bio/b_sock2.c:110:
139857395860800:error:2008A067:BIO routines:BIO_connect:connect error:../crypto/bio/b_sock2.c:111:
connect:errno=111

Can you confirm http is definately disabled

no ip http server
no ip http secure-server

Run "show run | inc tls" and confirm only TLS 1.2 is configured.

C3850(config)#do show run | inc tls
ip http tls-version TLSv1.2

You can confirm what the TLS version the switch configured to use using NMAP, as below

rob@ubuntu-1:~$ nmap -sV --script ssl-enum-ciphers -p 443 <ip address>
Starting Nmap 7.80 ( https://nmap.org ) at 2023-02-20 17:26 UTC
Nmap scan report for 192.168.10.2
Host is up (0.0032s latency).

PORT STATE SERVICE VERSION
443/tcp open ssl/http nginx
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 4096) - A
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 4096) - A
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 4096) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 4096) - A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
| compressors:
| NULL
| cipher preference: server
| warnings:
| Weak certificate signature: SHA1
|_ least strength: A

Leftz · ‎02-21-2023

@Rob Ingram Thank you very much for your reply.

command "openssl s_client -connect 192.168.10.2:443 -tls1_2" can not be run at router or switch. we are going to add Linux to run it. Is there a similar cisco command to run for this purpose?

I can only run the below two commands at this moment.

ESW#show run | in tls
ip http tls-version TLSv1.2
ip http client tls-version TLSv1.2

ESW#sh run | in http
no ip http server
ip http authentication local
no ip http secure-server
ip http tls-version TLSv1.2
ip http client tls-version TLSv1.2
destination transport-method http

Rob Ingram · ‎02-21-2023

@Leftz no i do not believe there is a cisco command.

The configuration certainly seems to confirm neither http/https is enabled and only TLS1.2 is configured, this mirrored my switch when I run the above tests to replicate your scenario.

You can run both openssl and nmap on windows if you don't have linux to run your own tests. Then get your vulnerability scanner to re-run the test again.

Leftz · ‎02-22-2023

Run command show ip socket on this sw. but looks like it cannot show something useful. because I cannot find some difference between before and after closing 80 or 443 by command no ip http server or no ip http secure-server

ESW#show ip sockets
Proto Remote Port Local Port In Out Stat TTY OutputIF
17 0.0.0.0 0 172.16.10.10 2228 0 0 211 0
17 10.1.9.43 55775 172.16.10.10 161 0 0 2001001 0
17 --listen-- 172.16.10.10 162 0 0 2001011 0
17 --listen-- 172.16.10.10 52585 0 0 2001011 0
17(v6) --listen-- --any-- 161 0 0 2020001 0
17(v6) --listen-- --any-- 162 0 0 2020011 0
17(v6) --listen-- --any-- 52448 0 0 2020001 0

Leftz · ‎02-23-2023

@Rob Ingram you are right. One question: the vulnerability issue in this case is due to TLS lower version 1.0 and 1.1. If the lower version of TLS is still enabled, but http and https are disabled, does this vulnerability issue still exist theoretically ?

Rob Ingram · ‎02-23-2023

@Leftz if disabled, I'd say the device will not be exploitable

Leftz · ‎02-24-2023

Thank you!