Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2067
Views
0
Helpful
6
Replies

ssh and cipher issue in Nexus 9300

Leftz
Level 4
Level 4

‎03-13-2023 01:57 PM - edited ‎03-13-2023 02:11 PM

Hi We got the below info from Qualys for security vulnerability issue in device Nexus9300. Look like cipher need updated and ssh rsa key length needs to be changed. I reviewed the below link, but cannot find some configuration to change cipher or ssh. Anyone has any suggestion? Thanks

 

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/93x/security/configuration/guide/b-cisco-nexus-9000-nx-os-security-configuration-guide-93x/b-cisco-nexus-9000-nx-os-security-configuration-guide-93x_chapter_0111.html

 

192.168.2.2 IP Cisco Nexus Switch host scanned, found vuln 38739 Deprecated SSH Cryptographic Settings Active Vuln 3 22 tcp 44738.85147 44920.84907 33 0 6.4 (AV:N/AC:L/Au:N/C:P/I:P/A:N) 4.7 (E:U/RL:W/RC:UC) Asset Group: Network Devices - US Network Devices - 4050, Collateral Damage Potential: None, Target Distribution: None, Confidentiality Requirement: , Integrity Requirement: , Availability Requirement: 5.3 6.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) 5.3 (E:U/RL:W/RC:U) "Avoid using deprecated cryptographic settings.
Use best practices when configuring SSH.
Refer to Security of Interactive and Automated Access Management Using Secure Shell (SSH) (https://protect-us.mimecast.com/s/BQIdC1wvjMupN0D1UG9SYb?domain=csrc.nist.gov) .
Settings currently considered deprecated:
<DL>
<DT>Ciphers using CFB of OFB</DT>
<DD>Very uncommon, and deprecated because of weaknesses compared to newer cipher chaining modes such as CTR or GCM</DD>
<DT>RC4 cipher (arcfour, arcfour128, arcfour256)</DT>
<DD>The RC4 cipher has a cryptographic bias and is no longer considered secure</DD>
<DT>Ciphers with a 64-bit block size (DES, 3DES, Blowfish, IDEA, CAST)</DT>
<DD>Ciphers with a 64-bit block size may be vulnerable to birthday attacks (Sweet32)</DD>
<DT>Key exchange algorithms using DH group 1 (diffie-hellman-group1-sha1, gss-group1-sha1-*)</DT>
<DD>DH group 1 uses a 1024-bit key which is considered too short and vulnerable to Logjam-style attacks</DD>
<DT>Key exchange algorithm ""rsa1024sha1""</DT>
<DD>Very uncommon, and deprecated because of the short RSA key size</DD>
<DT>MAC algorithm ""umac-32""</DT>
<DD>Very uncommon, and deprecated because of the very short MAC length</DD>
<DT>Cipher ""none""</DT>
<DD>This is available only in SSHv1</DD>
</DL>" "Type Name
key exchange diffie-hellman-group1-sha1#" yes General remote services Network Devices - 

4 people had this problem
0 Helpful
6 Replies 6

tpdagandan
Level 1
Level 1

‎12-11-2023 11:37 PM

Hi @Leftz, you can disable the weak kex algorith and MAC manually by accessing bash-shell and manually deleting the flag algorithms since Cisco Nexus cannot configure ssh algorithms in CLI alone.

switch# configure terminal

Enter configuration commands

switch(config)# feature bash-shell

switch(config)# run bash

Edit the SSHD config file:
bash-4.2$ sudo su
bash-4.2# vi /isan/etc/dcos_sshd_config
Starting from here we will add or remove configuration needed to secure Nexus device.
After this you can see the default algorithms enable in you Cisco Nexus Device. manually delete it and restart sshd process.

Restart the SSHD process (This should be done with care as it can kill all SSH connections to the switch):
bash-4.2# service sshd restart

 

*This is a temporary solution since if the switch restarts it will run default enabled algorithms but still we can disable the algorithms flag manually again

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame

‎12-12-2023 01:49 AM

what is the version of nexus code running on device.

check cisco PSIRT and get latest version of fix, also suggest to upgrade to latest code.

https://sec.cloudapps.cisco.com/security/center/publicationListing.x

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Tg7361
Level 1
Level 1

‎02-07-2024 05:09 AM

Follow up question:
1) Are we sure we need to edit /isan/etc/dcos_sshd_config and not /isan/etc/sshd_config ?
Does anyone know the difference? (or we should change both?)

2) Is there an approach that will survive a reboot of the switch? 

0 Helpful

Agung1007
Level 1
Level 1

‎09-24-2024 11:47 PM

Hi,

we also facing this issue.

we already upgraded the NX-OS to 10.3.6 ,

but when scan Qualys again, the vulnerability still exist : SHA1 deprecated setting for SSH

Agung1007_0-1727246822761.png

 

How we disabled the SHA1 with permanent solution ?

 

0 Helpful

tpdagandan
Level 1
Level 1
In response to Agung1007

‎09-24-2024 11:58 PM

Hi @Agung1007 ,

I think newer version of NXOS permit you to edit the supported ssh algorithm in CLI. im not sure if its 10.4 or 10.3. Please refer to the nxos release notes for this. I am sure I read it somewhere.

the commands i recommended is a temporary solution only.

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to Agung1007

‎09-25-2024 11:41 PM

if you upgrade to latest code nexus follow security code and change the ciphers needed :

https://www.cisco.com/c/en/us/td/docs/dcn/nx-os/nexus9000/103x/configuration/security/cisco-nexus-9000-nx-os-security-configuration-guide-103x/m-configuring-ssh-and-telnet.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card