Tenable CBC Plugin Reporting With CTR Enabled

jbulloch · ‎10-22-2024

Hi cisco community,

I will admit i was not sure rather to put this under security or switching. Recently, my company has decided to have a outside auditor come in whom uses tenable. One of these scans has hit two of our switches, a 9300 and 3560CX has having CBC enabled.

However both switches have confiqured as such:
(9300) ip ssh server algorithm encryption aes256-ctr aes192-ctr aes128-ctr

(3560) ip ssh server algorithm encryption aes256-ctr aes192-ctr aes128-ctr

Neither are using a CBC option. I asked for both to be ran again, and they both popped up positive again. I contacted tenable and was told to reach out to the vendor and ask for a security patch.

I've tried pushing everything on the switches to 512 but out corporate terminal client does not enjoy having the hostkey set that high.

The configs are as follows:

C9300-48U

ip ssh server authenticate user publickey
ip ssh server authenticate user keyboard
ip ssh server authenticate user password
no ip ssh server peruser session limit
ip ssh server certificate profile
ip ssh server algorithm mac hmac-sha2-512 hmac-sha2-256
ip ssh server algorithm encryption aes256-ctr aes192-ctr aes128-ctr
ip ssh server algorithm kex curve25519-sha256@libssh.org ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 diffie-hellman-group14-sha1
ip ssh server algorithm hostkey rsa-sha2-256 ssh-rsa
ip ssh server algorithm authentication publickey keyboard password
ip ssh server algorithm publickey x509v3-ssh-rsa ssh-rsa ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521 ssh-ed25519 x509v3-ecdsa-sha2-nistp256 x509v3-ecdsa-sha2-nistp384 x509v3-ecdsa-sha2-nistp521 rsa-sha2-256 rsa-sha2-512

WS-C3560CX-8PC-S

ip ssh server authenticate user publickey
ip ssh server authenticate user keyboard
ip ssh server authenticate user password
no ip ssh server peruser session limit
ip ssh server certificate profile
ip ssh server algorithm mac hmac-sha2-512 hmac-sha2-256
ip ssh server algorithm encryption aes256-ctr aes192-ctr aes128-ctr
ip ssh server algorithm kex diffie-hellman-group14-sha1
ip ssh server algorithm hostkey x509v3-ssh-rsa ssh-rsa
ip ssh server algorithm authentication publickey keyboard password
ip ssh server algorithm publickey x509v3-ssh-rsa ssh-rsa

Is there another setting i am missing which would effect this hit? The plugin text is:

The SSH server is configured to support Cipher Block Chaining (CBC) encryption. This may allow an attacker to recover the plaintext message from the ciphertext."

Thank you for your assistance!

marce1000 · ‎10-22-2024

- You can verify the enabled ciphers with : % nmap --script ssh2-enum-algos switchname
(nmap.org)

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

jbulloch · ‎10-24-2024

marce,

Thanks for the input and while that is helpful i cannot run nmap in our environment.

marce1000 · ‎10-24-2024

- The feeling around that argument is something I defy ; you
'don't run nmap in your environment' ;
you run a command as a technical authorized administrator on a single device to examine an issue.
Or what about all your other users who might have downloaded it already , and scanned your
network numerous times.....->?

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Tenable CBC Plugin Reporting With CTR Enabled

Threat-Centric NAC Service: Integrate Cisco ISE with Tenable SC

ISE and Tenable Integration

Will this work with Tenable

Intersight vSphere (vCenter) Client Plugin

Cisco TC-NAC with ISE and Tenable Security Center