Solved: Nexus 9300 security issue

Leftz · ‎03-08-2023

Hi Nexus 9300 has security vulnerability issue as Qualys report as below. The configuration use default ssh without http and https configuration. and also I cannot see any tls configuration via the below command. The report looks like to tell some issue relative with tls. but i cannot see any issue relative with tls via some command below. Anyone can share some experience? Thank you

SW01# show run | include "line"
line console
line vty

SW01# show run | include tls

SW01# show run | include TLS

(show no result)

----- Qualys info as below -------

192.168.2.2 IP Cisco Nexus Switch host scanned, found vuln 38739 Deprecated SSH Cryptographic Settings Active Vuln 3 22 tcp over ssl 44878.88163 44920.90683 13 Deprecating TLS 1.0 and TLS 1.1 2.2 2.6 (AV:N/AC:H/Au:N/C:P/I:N/A:N) 2.2 (E:U/RL:U/RC:C) Asset Group: Network Devices - US Network Devices - Seattle, Collateral Damage Potential: Not Defined, Target Distribution: Not Defined, Confidentiality Requirement: Not Defined, Integrity Requirement: Not Defined, Availability Requirement: Not Defined 3.4 3.7 (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) 3.4 (E:U/RL:U/RC:C) "Disable the use of TLSv1.1 protocol in favor of a cryptographically stronger protocol such as TLSv1.2.

The following openssl commands can be used to do a manual test:

openssl s_client -connect ip:port -tls1_1

If the test is successful, then the target support TLSv1.1" TLSv1.1 is supported# no General remote services 25 338 5

balaji.bandi · ‎03-08-2023

check show run | in http

show ssh (also check any older ssh running)

also if you enable API, default TLS 1.1 - show nxapi

#nxapi ssl-protocols {TLSv1.0 TLSv1.1 TLSv1.2}

you can issue and see what ports are listening :

# show sockets connection tcp

BB

=====️ Preenayamo Vasudevam ️=====

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

balaji.bandi · ‎03-09-2023

if you are not using nexus api you can remove :

NX-API Management Commands

You can enable and manage NX-API with the CLI commands listed in the following table.

Table 1. NX-API Management Commands
NX-API Management Command	Description
feature nxapi	Enables NX-API.
no feature nxapi	Disables NX-API.
nxapi {http\|https} port `port`	Specifies a port.
no nxapi {http\|https}	Disables HTTP/HTTPS.
show nxapi	Displays port information.
nxapi certificate {`httpscrt` \|`httpskey`}	Specifies the upload of the following: HTTPS certificate when `httpscrt` is specified. HTTPS key when `httpskey` is specified.
nxapi certificate `enable`	Enables a certificate.

if above message not visible use below guide :

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/6-x/programmability/guide/b_Cisco_Nexus_9000_Series_NX-OS_Programmability_Guide/b_Cisco_Nexus_9000_Series_NX-OS_Programmability_Guide_chapter_011.html

BB

=====️ Preenayamo Vasudevam ️=====

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

balaji.bandi · ‎03-09-2023

depends on the nexus code you use. check the version command reference for more.

BB

=====️ Preenayamo Vasudevam ️=====

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

balaji.bandi · ‎03-08-2023

check show run | in http

show ssh (also check any older ssh running)

also if you enable API, default TLS 1.1 - show nxapi

#nxapi ssl-protocols {TLSv1.0 TLSv1.1 TLSv1.2}

you can issue and see what ports are listening :

# show sockets connection tcp

BB

=====️ Preenayamo Vasudevam ️=====

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Leftz · ‎03-09-2023

Thanks for your reply. I can see local port 22, 161, and 179 via command show sockets connection tcp, but i cannot see port 449 which is relative with tls

As the above mentioned, show ssh/show ip ssh, show run | in http, all of these do not show any result, but see below

SW01# show nxapi
nxapi enabled
HTTP Listen on port 80
HTTPS Listen on port 443

Do we have a command to disable the ports?

no feature http-server cannot work

balaji.bandi · ‎03-09-2023

if you are not using nexus api you can remove :

NX-API Management Commands

You can enable and manage NX-API with the CLI commands listed in the following table.

Table 1. NX-API Management Commands
NX-API Management Command	Description
feature nxapi	Enables NX-API.
no feature nxapi	Disables NX-API.
nxapi {http\|https} port `port`	Specifies a port.
no nxapi {http\|https}	Disables HTTP/HTTPS.
show nxapi	Displays port information.
nxapi certificate {`httpscrt` \|`httpskey`}	Specifies the upload of the following: HTTPS certificate when `httpscrt` is specified. HTTPS key when `httpskey` is specified.
nxapi certificate `enable`	Enables a certificate.

if above message not visible use below guide :

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/6-x/programmability/guide/b_Cisco_Nexus_9000_Series_NX-OS_Programmability_Guide/b_Cisco_Nexus_9000_Series_NX-OS_Programmability_Guide_chapter_011.html

BB

=====️ Preenayamo Vasudevam ️=====

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Leftz · ‎03-09-2023

Great! no nxapi http/https can be entered. it should work.

Thank you!

Leftz · ‎03-09-2023

the command " nxapi ssl-protocols {TLSv1.0 TLSv1.1 TLSv1.2}" cannot be run in this sw. Do not know why

Please see the below:

SW01(config)# nxapi ?
certificate Https certificate configuration
http Http configuration
https Https configuration
use-vrf Vrf to be used for nxapi communication

balaji.bandi · ‎03-09-2023

depends on the nexus code you use. check the version command reference for more.

BB

=====️ Preenayamo Vasudevam ️=====

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Leftz · ‎03-09-2023

Thanks!