Re: OpenSSH Vulnerabilities in Cisco C9200L and C9300 switches

itsu · ‎07-31-2024

Hi folks,

Our vulnerability scanning tool has picked up couple of OpenSSH related vulnerability in all our 9000 series switch. See attached screenshot.

I checked for any related post online but I couldn't find anything, even though there are some related, they are from different cisco products.

So far, I have applied the following configs below I came across online but that hasn't fix the problem. After I ran the remediation scan I can see that the vulnerabilities are still there.

DR-CORE-SW-STACK#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
DR-CORE-SW-STACK(config)#crypto key generate rsa modulus 4096 label my-4096rsa-ssh-key
% You already have RSA keys defined named my-4096rsa-ssh-key.
% They will be replaced.

% The key modulus size is 4096 bits
% Generating 4096 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 2 seconds)

DR-CORE-SW-STACK(config)#ip ssh rsa keypair-name my-4096rsa-ssh-key
DR-CORE-SW-STACK(config)#ip ssh version 2
DR-CORE-SW-STACK(config)#ip ssh server algorithm authentication keyboard
DR-CORE-SW-STACK(config)#ip ssh server algorithm kex ecdh-sha2-nistp521 ecdh-sha2-nistp384
DR-CORE-SW-STACK(config)#ip ssh server algorithm hostkey rsa-sha2-512 rsa-sha2-256
DR-CORE-SW-STACK(config)#ip ssh server algorithm encryption aes256-gcm aes256-ctr
DR-CORE-SW-STACK(config)#ip ssh server algorithm mac hmac-sha2-512 hmac-sha2-256
DR-CORE-SW-STACK(config)#ip ssh server algorithm publickey ecdsa-sha2-nistp521 ecdsa-sha2-nistp384
DR-CORE-SW-STACK(config)#do wri
Building configuration...
[OK]
DR-CORE-SW-STACK(config)#

How can I remove these vulnerabilities, any good folks want to help?

I really appreciate your help on this.

Thank you,

Kevin

Flavio Miranda · ‎07-31-2024

Hi

Are you sure the scanning was ran against a Cisco switch, I dont recall cisco device using OpenSSH

On the link below there are planty of tips related to strong SSH, hope that can help you

https://community.cisco.com/t5/networking-knowledge-base/configuring-ios-xe-for-strong-security-ssh-sessions/ta-p/4556490

itsu · ‎07-31-2024

Hi Flavio,

I did came across this site and use the configs above however, the issue still persist when I ran the scan.

shambhu.kumar · ‎07-31-2024

Hello Kevin,

I do not see any SSH related vulnerability in your configuration. It looks good.

I am also using same configuration. What version you are using in Switch?

C9300-01#sh ip ssh
SSH Enabled - version 2.0
Authentication methods:keyboard-interactive
Authentication Publickey Algorithms:ecdsa-sha2-nistp256,ecdsa-sha2-nistp384
Hostkey Algorithms:rsa-sha2-512,rsa-sha2-256
Encryption Algorithms:aes256-ctr
MAC Algorithms:hmac-sha2-256,hmac-sha2-512
KEX Algorithms:ecdh-sha2-nistp521
Authentication timeout: 60 secs; Authentication retries: 5
Minimum expected Diffie Hellman key size : 2048 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded): TP-self-signed-2962435495
Modulus Size : 2048 bits

Flavio Miranda · ‎08-01-2024

I'm wondering if your acan is not sending out common vulnerability for SSH and not actually seing it on the Switch because it show OpenSSH which I dont believe Cisco use it.

Is this an oficial scan tool or some free software?

MHM Cisco World · ‎08-01-2024

please share

show ip ssh
I think there are other cipher use by default

MHM

Leo Laohoo · ‎08-10-2024

IOS-XE only is affected by regreSSion vulnernability if the platform has NETCONF enabled AND running vulnerable version (fixed from 17.15.1).

If NETCONF is not enabled, the IOS-XE is not affected.