SSL Medium Strength Cipher Suites Supported vulnerability
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-19-2010 10:25 AM - edited 02-21-2020 03:53 AM
Kind of an odd thing. We just had a vulnerability scan and a 2960 got pinged for supporting medium strength SSL cipher suites. I say strange cause I have 3 others that have the same IOS image and they didn't get pinged. Swap out the management IP address and they are all the same. They are all running 12.2(52)SE C2960-LANBASEK9-M, with a 768 bit keys. Here is the text of the vulnerability :
Synopsis : The remote service supports the use of medium strength SSL ciphers. Description : The remote host supports the use of SSL ciphers that offer medium strength encryption, which we currently regard as those with key lengths at least 56 bits and less than 112 bits.
Reconfigure the affected application if possible to avoid use of medium strength ciphers. / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) Plugin output : Here are the medium strength SSL ciphers supported by the remote server : Medium Strength Ciphers (>= 56-bit and < 112-bit key) SSLv3 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES(56) Mac=SHA1 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1 TLSv1 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES(56) Mac=SHA1 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1 The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag}
Can someone point me in the right direction on how to re-configure the switch to pass this test?
Thanks
Poirot
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-22-2010 11:40 AM
I believe the alert there is because you are using a 768 key which was broken recently (Jan 2010 a paper was published on it with results from efforts that took 4 years to break 768 keys). 768bit RSA keys is not considered secure enough any more.
I would suggest you to configure keys of 1024 on these switches and try again.
I hope it helps.
PK
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-22-2010 12:07 PM
Thanks for the reply. I zeroed the key of one of switches and started a scan on it. I will let you know if that fixes it.
Poirot
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-23-2010 08:22 AM
I zeroed the RSA key and generated a 1024 bit replacement. Saved it, restarted the secure http server, and ran the Gideon scan against it. I am still getting the same vulnerability. Is there a way to turn off an individual cypher suite running in IOS?
Poirot
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-23-2010 01:45 PM
You cannot disable ciphersuites.
Try if "ip ssh version 2" helps.
Also check the difference in ssh and crypto key between the routers that don't see the vulnerability reports.
PK
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-26-2021 12:22 AM
Hi Panos,
I iam facing the same issue in switch.what will be solution.
I am looking forward your reply.
Thanks,
Prashanth
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-24-2010 06:07 AM
Have the exact same issue.
I have 1024 crypto keys and ip ssh version 2 in the config.
Still shows up a vulnerability after re-scanning (using Tenable Nessus).
This happens on 2960, 3550, & 3750's.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-24-2010 06:30 AM
Yeah. I told our ISSO that it was something that it would have to be deemed an acceptable risk as there was not a 'fix' for it.
Poirot
