Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
386
Views
0
Helpful
5
Replies

Weak SSL/TLS Key Exchange

Go to solution
mohammedalrawiib
Level 1
Level 1

‎04-18-2024 02:15 AM

Hi 

I hope your doing well 

in our network infrastructure  where we have Qualys to scan for vulnerabilities i can't find a solution for this certain vulnerability here are the details :

Weak SSL/TLS Key Exchange 

impact an attacker with access to sufficient computational power might be able to recover the session key and decrypt session content 

i have tried the suggested solution from both community cisco but when we i scan again the vulnerability remains the same , the solution that i have tried is to disable SSL/TLS on the switches after scanning it still shows the same vulnerability ,also i have tried to configure the cipher suite with AES 256 the vulnerability remains the same .

the switch we have is cisco 9200 version 17.6

best regards

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
mohammedalrawiib
Level 1
Level 1

‎05-28-2024 05:53 AM

Dears 

after a while we changed the ssh port number (default is 22) to another port also we blocked 22 port then the vulnerability was removed this is the solution that we found if you have any other solution please let us know 

best regards 

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Rob Ingram
VIP
VIP

‎04-18-2024 02:27 AM

@mohammedalrawiib what commands did you configure? Provide the configuration.

Did you use the command - no ip http secure-server to disable https server?

You could also apply an ACL to restrict traffic to trusted sources, that would help mitigate the issue.

0 Helpful

Go to solution
mohammedalrawiib
Level 1
Level 1
In response to Rob Ingram

‎04-18-2024 02:29 AM

Yes i tried to use the command no ip http secure-server but the vulnerability remains in the scan report 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to mohammedalrawiib

‎04-18-2024 02:36 AM

@mohammedalrawiib with that command, https on the switch is disabled and should not respond.

Are you sure a new scan was run after that command was configured?

Provide your configuration

 

0 Helpful

Go to solution
mohammedalrawiib
Level 1
Level 1
In response to Rob Ingram

‎04-18-2024 05:38 AM

tried to scan 2 times and the vulnerability still remains is there anything i can try ?

can't provide configuration right now, will provide on Sunday 

regards 

0 Helpful

Go to solution
mohammedalrawiib
Level 1
Level 1

‎05-28-2024 05:53 AM

Dears 

after a while we changed the ssh port number (default is 22) to another port also we blocked 22 port then the vulnerability was removed this is the solution that we found if you have any other solution please let us know 

best regards 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card