Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
3424
Views
0
Helpful
5
Replies

Weak SSL/TLS Key Exchange

Go to solution
mohammedalrawiib
Level 1
Level 1

‎04-21-2024 10:58 PM

Hi 

I hope your doing well 

in our network infrastructure  where we have Qualys to scan for vulnerabilities i can't find a solution for this certain vulnerability here are the details :

Weak SSL/TLS Key Exchange 

impact an attacker with access to sufficient computational power might be able to recover the session key and decrypt session content 

i have tried the suggested solution from both community cisco but when we i scan again the vulnerability remains the same , the solution that i have tried is to disable SSL/TLS on the switches after scanning it still shows the same vulnerability ,also i have tried to configure the cipher suite with AES 256 the vulnerability remains the same .

the following commands were executed 

no ip http secure-server 

 

 

the switch we have is cisco 9200 version 17.6

regards

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
mohammedalrawiib
Level 1
Level 1

‎05-28-2024 05:53 AM

Dears 

after a while we changed the ssh port number (default is 22) to another port also we blocked 22 port then the vulnerability was removed this is the solution that we found if you have any other solution please let us know.

best regards 

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Kumaresan Ravichandran
Level 1
Level 1

‎04-21-2024 11:26 PM

Hello @mohammedalrawiib 

Configuration changes might require a reboot to take effect. Reboot the switch and re-scan to verify if the vulnerability persists.

Determine if there are other interfaces or modules on the switch that might be using SSL/TLS.

will you share the output of  "show running-config".

>_<

0 Helpful

Go to solution
mohammedalrawiib
Level 1
Level 1
In response to Kumaresan Ravichandran

‎04-22-2024 01:39 AM

hello 

i can't reboot this will take our service down , i tried to enable it again they said it would remove it this is the config 

ip forward-protocol nd
no ip http server
ip http authentication local
no ip http secure-server
ip http secure-ciphersuite aes-256-cbc-sha
ip http tls-version TLSv1.2

0 Helpful

Go to solution
Kumaresan Ravichandran
Level 1
Level 1
In response to mohammedalrawiib

‎04-22-2024 05:32 AM - edited ‎04-22-2024 05:33 AM

Hello @mohammedalrawiib 

When dealing with SSL/TLS vulnerabilities, particularly those related to key exchange, it can be frustrating when the recommended solutions don't seem to resolve the issue. If your goal is to mitigate the "Weak SSL/TLS Key Exchange" vulnerability, these commands can help ensure secure configurations. Then it is resolved right ?

I hope this helps resolve your vulnerability issue. If it is ok then mark your post to solved category.

Rate it too.

>_<

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎04-22-2024 06:35 AM

@mohammedalrawiib you asked this question is a separate thread last week: https://community.cisco.com/t5/network-security/weak-ssl-tls-key-exchange/td-p/5072776

At that time you said you were going to provide the running config but you have not yet done so.

0 Helpful

Go to solution
mohammedalrawiib
Level 1
Level 1

‎05-28-2024 05:53 AM

Dears 

after a while we changed the ssh port number (default is 22) to another port also we blocked 22 port then the vulnerability was removed this is the solution that we found if you have any other solution please let us know.

best regards 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card
Top