ssh and cipher issue in Nexus 9300

Leftz · ‎03-13-2023

Hi We got the below info from Qualys for security vulnerability issue in device Nexus9300. Look like cipher need updated and ssh rsa key length needs to be changed. I reviewed the below link, but cannot find some configuration to change cipher or ssh. Anyone has any suggestion? Thanks

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/93x/security/configuration/guide/b-cisco-nexus-9000-nx-os-security-configuration-guide-93x/b-cisco-nexus-9000-nx-os-security-configuration-guide-93x_chapter_0111.html

192.168.2.2 IP Cisco Nexus Switch host scanned, found vuln 38739 Deprecated SSH Cryptographic Settings Active Vuln 3 22 tcp 44738.85147 44920.84907 33 0 6.4 (AV:N/AC:L/Au:N/C:P/I:P/A:N) 4.7 (E:U/RL:W/RC:UC) Asset Group: Network Devices - US Network Devices - 4050, Collateral Damage Potential: None, Target Distribution: None, Confidentiality Requirement: , Integrity Requirement: , Availability Requirement: 5.3 6.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) 5.3 (E:U/RL:W/RC:U) "Avoid using deprecated cryptographic settings.
Use best practices when configuring SSH.
Refer to Security of Interactive and Automated Access Management Using Secure Shell (SSH) (https://protect-us.mimecast.com/s/BQIdC1wvjMupN0D1UG9SYb?domain=csrc.nist.gov) .
Settings currently considered deprecated:
<DL>
<DT>Ciphers using CFB of OFB</DT>
<DD>Very uncommon, and deprecated because of weaknesses compared to newer cipher chaining modes such as CTR or GCM</DD>
<DT>RC4 cipher (arcfour, arcfour128, arcfour256)</DT>
<DD>The RC4 cipher has a cryptographic bias and is no longer considered secure</DD>
<DT>Ciphers with a 64-bit block size (DES, 3DES, Blowfish, IDEA, CAST)</DT>
<DD>Ciphers with a 64-bit block size may be vulnerable to birthday attacks (Sweet32)</DD>
<DT>Key exchange algorithms using DH group 1 (diffie-hellman-group1-sha1, gss-group1-sha1-*)</DT>
<DD>DH group 1 uses a 1024-bit key which is considered too short and vulnerable to Logjam-style attacks</DD>
<DT>Key exchange algorithm ""rsa1024sha1""</DT>
<DD>Very uncommon, and deprecated because of the short RSA key size</DD>
<DT>MAC algorithm ""umac-32""</DT>
<DD>Very uncommon, and deprecated because of the very short MAC length</DD>
<DT>Cipher ""none""</DT>
<DD>This is available only in SSHv1</DD>
</DL>" "Type Name
key exchange diffie-hellman-group1-sha1#" yes General remote services Network Devices -

tpdagandan · ‎12-11-2023

Hi @Leftz, you can disable the weak kex algorith and MAC manually by accessing bash-shell and manually deleting the flag algorithms since Cisco Nexus cannot configure ssh algorithms in CLI alone.

switch# configure terminal

Enter configuration commands

switch(config)# feature bash-shell

switch(config)# run bash

Edit the SSHD config file:
bash-4.2$ sudo su
bash-4.2# vi /isan/etc/dcos_sshd_config
Starting from here we will add or remove configuration needed to secure Nexus device.
After this you can see the default algorithms enable in you Cisco Nexus Device. manually delete it and restart sshd process.

Restart the SSHD process (This should be done with care as it can kill all SSH connections to the switch):
bash-4.2# service sshd restart

*This is a temporary solution since if the switch restarts it will run default enabled algorithms but still we can disable the algorithms flag manually again

balaji.bandi · ‎12-12-2023

what is the version of nexus code running on device.

check cisco PSIRT and get latest version of fix, also suggest to upgrade to latest code.

https://sec.cloudapps.cisco.com/security/center/publicationListing.x

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Tg7361 · ‎02-07-2024

Follow up question:
1) Are we sure we need to edit /isan/etc/dcos_sshd_config and not /isan/etc/sshd_config ?
Does anyone know the difference? (or we should change both?)

2) Is there an approach that will survive a reboot of the switch?