- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-21-2024 10:58 PM
Hi
I hope your doing well
in our network infrastructure where we have Qualys to scan for vulnerabilities i can't find a solution for this certain vulnerability here are the details :
Weak SSL/TLS Key Exchange
impact an attacker with access to sufficient computational power might be able to recover the session key and decrypt session content
i have tried the suggested solution from both community cisco but when we i scan again the vulnerability remains the same , the solution that i have tried is to disable SSL/TLS on the switches after scanning it still shows the same vulnerability ,also i have tried to configure the cipher suite with AES 256 the vulnerability remains the same .
the following commands were executed
no ip http secure-server
the switch we have is cisco 9200 version 17.6
regards
Solved! Go to Solution.
- Labels:
-
Security Management
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-28-2024 05:53 AM
Dears
after a while we changed the ssh port number (default is 22) to another port also we blocked 22 port then the vulnerability was removed this is the solution that we found if you have any other solution please let us know.
best regards
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-21-2024 11:26 PM
Hello @mohammedalrawiib
Configuration changes might require a reboot to take effect. Reboot the switch and re-scan to verify if the vulnerability persists.
Determine if there are other interfaces or modules on the switch that might be using SSL/TLS.
will you share the output of "show running-config".
>_<
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-22-2024 01:39 AM
hello
i can't reboot this will take our service down , i tried to enable it again they said it would remove it this is the config
ip forward-protocol nd
no ip http server
ip http authentication local
no ip http secure-server
ip http secure-ciphersuite aes-256-cbc-sha
ip http tls-version TLSv1.2
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-22-2024 05:32 AM - edited 04-22-2024 05:33 AM
Hello @mohammedalrawiib
When dealing with SSL/TLS vulnerabilities, particularly those related to key exchange, it can be frustrating when the recommended solutions don't seem to resolve the issue. If your goal is to mitigate the "Weak SSL/TLS Key Exchange" vulnerability, these commands can help ensure secure configurations. Then it is resolved right ?
I hope this helps resolve your vulnerability issue. If it is ok then mark your post to solved category.
Rate it too.
>_<
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-22-2024 06:35 AM
@mohammedalrawiib you asked this question is a separate thread last week: https://community.cisco.com/t5/network-security/weak-ssl-tls-key-exchange/td-p/5072776
At that time you said you were going to provide the running config but you have not yet done so.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-28-2024 05:53 AM
Dears
after a while we changed the ssh port number (default is 22) to another port also we blocked 22 port then the vulnerability was removed this is the solution that we found if you have any other solution please let us know.
best regards
