Solved: Security Issues

dbrill001 · ‎01-22-2019

I have scanned my network and I am having a time trying to find the mitigations for these issues:

SSH Weak Encryption Algorithms Supported

SSL/TLS: SSLv3 Protocol CBC Cipher Suites Information Disclosure Vulnerability (POODLE)

SSL/TLS: Report Weak Cipher Suites

Telnet Unencrypted Cleartext Logins

SSH Weak MAC Algorithms Supported

SSL/TLS: Certificate Signed Using A Weak Signature Algorithm

SSL/TLS: Report Vulnerable Cipher Suites for HTTPS

SSL/TLS: Deprecated SSLv2 and SSLv3 Protocol Detection

SSL/TLS: Diffie-Hellman Key Exchange Insufficient DH Group Strength Vulnerability

Cleartext Transmission of Sensitive Information via HTTP

SSL/TLS: OpenSSL CCS Man in the Middle Security Bypass Vulnerability

Mitigating these is would be helpful. Thank you,

Seb Rupik · ‎01-22-2019

Hi there,

All of the SSL/TLS vulnerabilities will be resolved by upgrading the system image to mitigate the applicable CVE numbers.

Specific SSH issues can be resolved by setting the ssl cipher, however old versions of software may not have more secure ciphers available, so the image may need to be upgraded.

The telnet issue can be fixed by enforcing ssh on the VTY:

!
line vty 0 15
  transport input ssh
!

The HTTP issue can be resolved with

!
no ip http server
!

cheers,

Seb.

View solution in original post

Seb Rupik · ‎01-22-2019

Hi there,

All of the SSL/TLS vulnerabilities will be resolved by upgrading the system image to mitigate the applicable CVE numbers.

Specific SSH issues can be resolved by setting the ssl cipher, however old versions of software may not have more secure ciphers available, so the image may need to be upgraded.

The telnet issue can be fixed by enforcing ssh on the VTY:

!
line vty 0 15
  transport input ssh
!

The HTTP issue can be resolved with

!
no ip http server
!

cheers,

Seb.

dbrill001 · ‎01-22-2019

For catalyst 3560x models don't you have to have a contract to download or am I click the wrong area?

Seb Rupik · ‎01-22-2019

Typically yes.

If you don't have a service contract for any vulnerability you can go via:

https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html

...and request a fixed software release. I have heard reports that this method works, but also some people saying their request was refused. Just don't make a habit of requesting software without contract!

cheers,

Seb.