SSH Weak MAC Algorithms Enabled

Manish221 · ‎04-08-2015

Our Security Team is Reporting vulnerability related to SSH Weak MAC Algorithms Enabled for one of my WS-C3750G-24TS-1U switch.

As far as i know user will send the required negotiation cipher to access the device and device is just accepting it.

Also i don't find any option to disable cipher on device ?

The actual error they shared is SSH is configured to allow MD5 and 96-bit MAC algorithms for client to server communication

Iam running IOS c3750-ipservicesk9-mz.122-55.SE9.bin

Regards,

Manish Rawat

Charles Hill · ‎04-08-2015

Hello Manish,

I don't believe you can disbale MD5 and 96-bit mac algorithms on a cisco device, but you can harden the switch by disabling ssh version 1 by entering

"ip ssh version 2".

The client that is initiating the connection can force the algorithms are used.

Below are options when initiating an ssh connection from a cisco device.

ssh [-v {1 | 2} |-c {aes128-ctr |aes192-ctr|aes256-ctr |aes128-cbc | 3des-cbc |aes192-cbc | aes256-cbc} |-l user-id | -l user-id:vrf-name number ip-address ip-address | -l user-id:rotary number ip-address | -m {hmac-md5 | hmac-md5-96 | hmac-sha1 | hmac-sha1-96} | -o numberofpasswordprompts n | -p port-num] {ip-addr | hostname} [command | -vrf]

The following link gives best practices in hardening a cisco device.

http://www.cisco.com/c/en/us/support/docs/ip/access-lists/13608-21.html#anc37

Hope this helps,

if so, please rate.

Manish221 · ‎04-08-2015

Hello Cehill

Agree that we cannot disable the ssh algorithm.

what should i do so that security audit team does not report this vulnerability