Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
11614
Views
5
Helpful
5
Replies

I need a fix for CVE-2008-5161

Go to solution
davinci
Level 1
Level 1

‎08-13-2019 01:48 PM - edited ‎08-14-2019 09:59 AM

Tenable says that my switch is vulnerable to  CVE-2008-5161.  What is the fix?

 

Vulnerability name: CVE-2008-5161
Vulnerability scanner IDs: 70658
Vulnerability port: 22
Description: Error handling in the SSH protocol in (1) SSH Tectia Client and Server and Connector 4.0 through 4.4.11, 5.0 through 5.2.4, and 5.3 through 5.3.8; Client and Server and ConnectSecure 6.0 through 6.0.4; Server for Linux on IBM System z 6.0.4; Server for IBM z/OS 5.5.1 and earlier, 6.0.0, and 6.0.1; and Client 4.0-J through 4.3.3-J and 4.0-K through 4.3.10-K; and (2) OpenSSH 4.7p1 and possibly other versions, when using a block cipher algorithm in Cipher Block Chaining (CBC) mode, makes it easier for remote attackers to recover certain plaintext data from an arbitrary block of ciphertext in an SSH session via unknown vectors.
Solution Name: SSH Server CBC Mode Ciphers Enabled
Solution Description: Contact the vendor or consult product documentation to disable CBC mode
cipher encryption, and enable CTR or GCM cipher mode encryption.

 

 

here is my device IOS

 

sh version
Cisco IOS Software, s72033_rp Software (s72033_rp-IPSERVICESK9-M), Version 15.1(2)SY12, RELEASE SOFTWARE (fc4)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2018 by Cisco Systems, Inc.
Compiled Mon 23-Apr-18 10:15 by prod_rel_team

ROM: System Bootstrap, Version 12.2(17r)SX7, RELEASE SOFTWARE (fc1)

xxxxx uptime is 1 year, 3 weeks, 2 days, 23 hours, 7 minutes
Uptime for this control processor is 1 year, 3 weeks, 2 days, 22 hours, 39 minutes
System returned to ROM by reload at 17:00:48 CDT Fri Jul 20 2018 (SP by reload)
System restarted at 17:03:49 CDT Fri Jul 20 2018
System image file is "disk0:s72033-ipservicesk9-mz.151-2.SY12.bin"
Last reload reason: Reload Command

 

This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

cisco WS-C6509-E (R7000) processor (revision 1.5) with 458720K/65536K bytes of memory.
Processor board ID xxxxxxxxx
SR71000 CPU at 600Mhz, Implementation 0x504, Rev 1.2, 512KB L2 Cache
Last reset from s/w reset
2 Virtual Ethernet interfaces
196 Gigabit Ethernet interfaces
1917K bytes of non-volatile configuration memory.

65536K bytes of Flash internal SIMM (Sector size 512K).
Configuration register is 0x2102

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP
In response to davinci

‎08-14-2019 08:46 AM

Then your customer probably has to accept the risk. And it's not, that your SSH-sessions are now automatically broken and insecure. It's just not as secure as it could be.

View solution in original post

5 Replies 5

Go to solution
Karsten Iwen
VIP
VIP

‎08-13-2019 11:21 PM

AES-CTR-Mode was introduces in 15.2(1)SY which is not available for your switch. 

As a workaround you could disable SSH and access the device through a terminal server. Or even better, what about a shiny new Catalyst 9k to replace the 6k5?

0 Helpful

Go to solution
davinci
Level 1
Level 1
In response to Karsten Iwen

‎08-14-2019 07:32 AM - edited ‎08-14-2019 07:33 AM

thanks but disabling SSH or buying a new 9K isn't a feasible solution for my customer.  :) 

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to davinci

‎08-14-2019 08:46 AM

Then your customer probably has to accept the risk. And it's not, that your SSH-sessions are now automatically broken and insecure. It's just not as secure as it could be.

Go to solution
SushantDherange1794
Level 1
Level 1
In response to Karsten Iwen

‎06-02-2020 10:04 AM

Hello Karsten

Our customer is using C6807-XL switch. with VS-SUP2T-10G supervisor engine. Currently 15.1(2)SY5 IOS running in switch.

In show ver we are getting this thing

This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

 

We are getting this output from audit team.

  • CVE-2008-5161  SSH Server CBC Mode Ciphers Enabled. Switch IP :10.161.192.2 cisco C6807-XL (M8572),   Processor board ID :  SMC1946006Y 

 

  • CVE-2008-5161  Host : 10.161.192.3 The SSH server is configured to use Cipher Block Chaining

  The SSH server is configured to support Cipher Block Chaining (CBC) encryption.  This may allow an attacker to recover the plain text message from the cipher text. 

 

  • CVE-2008-5161  Host : 10.36.193.8  The remote SSH server is configured to allow MD5 and 96-bit MAC algorithms 

 The remote SSH server is configured to allow either MD5 or 96-bit MAC algorithms, both of which are considered weak.  

 

  • CVE-2008-5161 Host: 10.161.139.2  The SSH server is configured to use Cipher Block Chaining.

 The SSH server is configured to support Cipher Block Chaining (CBC). 

  

  • CVE-2008-5161 Host: 10.161.139.1 SSH Server CBC Mode Ciphers Enabled .

Please let us know the workaround or issue resolved IOS.

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to SushantDherange1794

‎06-03-2020 01:41 AM

I would expect that there is an IOS update available that can run proper crypto. Update the switch and configure SSH accordingly:

https://community.cisco.com/t5/security-documents/guide-to-better-ssh-security/ta-p/3133344

 

0 Helpful
Customers Also Viewed These Support Documents