cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
281
Views
5
Helpful
3
Replies
Highlighted
Beginner

I need a fix for CVE-2008-5161

Tenable says that my switch is vulnerable to  CVE-2008-5161.  What is the fix?

 

Vulnerability name: CVE-2008-5161
Vulnerability scanner IDs: 70658
Vulnerability port: 22
Description: Error handling in the SSH protocol in (1) SSH Tectia Client and Server and Connector 4.0 through 4.4.11, 5.0 through 5.2.4, and 5.3 through 5.3.8; Client and Server and ConnectSecure 6.0 through 6.0.4; Server for Linux on IBM System z 6.0.4; Server for IBM z/OS 5.5.1 and earlier, 6.0.0, and 6.0.1; and Client 4.0-J through 4.3.3-J and 4.0-K through 4.3.10-K; and (2) OpenSSH 4.7p1 and possibly other versions, when using a block cipher algorithm in Cipher Block Chaining (CBC) mode, makes it easier for remote attackers to recover certain plaintext data from an arbitrary block of ciphertext in an SSH session via unknown vectors.
Solution Name: SSH Server CBC Mode Ciphers Enabled
Solution Description: Contact the vendor or consult product documentation to disable CBC mode
cipher encryption, and enable CTR or GCM cipher mode encryption.

 

 

here is my device IOS

 

sh version
Cisco IOS Software, s72033_rp Software (s72033_rp-IPSERVICESK9-M), Version 15.1(2)SY12, RELEASE SOFTWARE (fc4)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2018 by Cisco Systems, Inc.
Compiled Mon 23-Apr-18 10:15 by prod_rel_team

ROM: System Bootstrap, Version 12.2(17r)SX7, RELEASE SOFTWARE (fc1)

xxxxx uptime is 1 year, 3 weeks, 2 days, 23 hours, 7 minutes
Uptime for this control processor is 1 year, 3 weeks, 2 days, 22 hours, 39 minutes
System returned to ROM by reload at 17:00:48 CDT Fri Jul 20 2018 (SP by reload)
System restarted at 17:03:49 CDT Fri Jul 20 2018
System image file is "disk0:s72033-ipservicesk9-mz.151-2.SY12.bin"
Last reload reason: Reload Command

 

This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

cisco WS-C6509-E (R7000) processor (revision 1.5) with 458720K/65536K bytes of memory.
Processor board ID xxxxxxxxx
SR71000 CPU at 600Mhz, Implementation 0x504, Rev 1.2, 512KB L2 Cache
Last reset from s/w reset
2 Virtual Ethernet interfaces
196 Gigabit Ethernet interfaces
1917K bytes of non-volatile configuration memory.

65536K bytes of Flash internal SIMM (Sector size 512K).
Configuration register is 0x2102

Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
VIP Mentor

Re: I need a fix for CVE-2008-5161

Then your customer probably has to accept the risk. And it's not, that your SSH-sessions are now automatically broken and insecure. It's just not as secure as it could be.

3 REPLIES 3
VIP Mentor

Re: I need a fix for CVE-2008-5161

AES-CTR-Mode was introduces in 15.2(1)SY which is not available for your switch. 

As a workaround you could disable SSH and access the device through a terminal server. Or even better, what about a shiny new Catalyst 9k to replace the 6k5?

Beginner

Re: I need a fix for CVE-2008-5161

thanks but disabling SSH or buying a new 9K isn't a feasible solution for my customer.  :) 

VIP Mentor

Re: I need a fix for CVE-2008-5161

Then your customer probably has to accept the risk. And it's not, that your SSH-sessions are now automatically broken and insecure. It's just not as secure as it could be.