"SSH Server CBC Mode Ciphers & SSH Weak MAC Algorithms" affected my core switch

mohdtaamneh · ‎03-02-2015

Security scan showing that my core ( WS-C6509-V-E /12.2(33)SXI4a ) is affected by the below two vulnerabilities:

1. SSH Server CBC Mode Ciphers Enabled

2. SSH Weak MAC Algorithms Enabled

I searched about the issue and found that nothing need to be done on the switches side. And the action need to be taken on the client that we are using to connect to cisco devices. Need to Disable CBC Mode Ciphers and use CTR Mode Ciphers on the application using to ssh to the cisco devices. And Disable any 96-bit HMAC Algorithms, Disable any MD5-based HMAC Algorithms.

Any one affected by the same vulnerabilities? And how fix it? Is there any action need to be done on the cisco switch side -like IOS upgrade-?

BR,

Mohammad

Karsten Iwen · ‎03-02-2015

More recent IOS-versions have more features for securing SSH. Older versions are very limited and without upgrading the software you can't allow any modern crypto. More then that, you even can't secure the client-settings if the SSH-server doesn't support modern crypto.

The way to go is:

Upgrade the device-software
Configure the devices for stronger SSH-security
Restrict the client from using weak crypto.

I wrote a little document for securing SSH which is available here:

https://supportforums.cisco.com/document/12338141/guide-better-ssh-security

Quikr_167 · ‎08-29-2017

HI,

Facing the same issue with entire prodcution device. Please share the fix steps if anyone have it.

Thanks,

Pushpendra

Marvin Rhoads · ‎08-29-2017

Did you try to follow the steps suggested by Karsten?

"SSH Server CBC Mode Ciphers & SSH Weak MAC Algorithms" affected my core switch

SSH "No matching kex algorithm found"

November 21st: Weak ciphers being disabled for Umbrella and OpenDNS

SSH error message "No matching ciphers found"

ssh error message "CBC Ciphers got moved out of default config"

Disabling SSH CBC cipher on Cisco routers/switches