Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1145
Views
10
Helpful
4
Replies

Insecurity message with ssh in switch 3850

Go to solution
Leftz
Level 4
Level 4

‎02-01-2022 08:55 AM

Hi We have switch c3850/ver 03.03.01.SE. Now some insecurity message (Please see the below) is sent to us from tenable. 

The device has the below two commands. Are these two commands is the reason for the insecurity? Thank you

 

ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr
ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr

 

 

-------

message is from tenable:

"The remote service accepts connections encrypted using SSL 2.0 and/or
SSL 3.0. These versions of SSL are affected by several cryptographic
flaws, including:

- An insecure padding scheme with CBC ciphers.

- Insecure session renegotiation and resumption schemes.

An attacker can exploit these flaws to conduct man-in-the-middle
attacks or to decrypt communications between the affected service and
clients.

Although SSL/TLS has a secure means for choosing the highest supported
version of the protocol (so that these versions will be used only if
the client or server support nothing better), many web browsers
implement this in an unsafe way that allows an attacker to downgrade
a connection (such as in POODLE). Therefore, it is recommended that
these protocols be disabled entirely.

NIST has determined that SSL 3.0 is no longer acceptable for secure
communications. As of the date of enforcement found in PCI DSS v3.1,
any version of SSL will not meet the PCI SSC's definition of 'strong
cryptography'."

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎02-01-2022 09:00 AM

@Leftz that message from tenable is probably referring to the https server that is enabled on the switch, not ssh.

If you are not using it you can disable using "no ip http secure-server" you can also disable http server "no ip http server".

View solution in original post

Go to solution
Leo Laohoo
Hall of Fame
Hall of Fame

‎02-01-2022 02:59 PM

@Leftz wrote:

We have switch c3850/ver 03.03.01.SE.

If the switch's firmware cannot/will-not be upgraded, anything else is an exercise of futility.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Rob Ingram
VIP
VIP

‎02-01-2022 09:00 AM

@Leftz that message from tenable is probably referring to the https server that is enabled on the switch, not ssh.

If you are not using it you can disable using "no ip http secure-server" you can also disable http server "no ip http server".

Go to solution
Leftz
Level 4
Level 4

‎02-01-2022 09:22 AM

Hi Rob, Thank you very much! I think you are right.

0 Helpful

Go to solution
Leo Laohoo
Hall of Fame
Hall of Fame

‎02-01-2022 02:59 PM

@Leftz wrote:

We have switch c3850/ver 03.03.01.SE.

If the switch's firmware cannot/will-not be upgraded, anything else is an exercise of futility.

0 Helpful

Go to solution
Leftz
Level 4
Level 4

‎02-02-2022 08:26 AM

Thank you Leo!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card