cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2516
Views
0
Helpful
3
Replies

ACS 5.5 - SSH is configured to allow MD5 and 96-bit MAC algorithms for client to server communication

Our network security testers have identified a vulnerability in our ACS 5.5 system. SSH is configured to allow MD5 and 96-bit MAC algorithms for client to server communication.This algorithms is assumed to be weak by the testers. How can we set the ACS to only use more secure SSH connections?

The SSH command in the CLI doesn't appear to give encryption options.

Thanks.

3 Replies 3

cciesec2011
Level 3
Level 3

First of all, how do you determine that the ACS server is accepting MD5 and 96-bits MAC algorithms?

I tested on the ACS 5.4 patch 6 and I am not seeing anything for MD5:

CentOS-linux>ssh -m hmac-sha1 -l admin 192.168.1.55
Copyright (c) 2012 Cisco Systems, Inc. All rights Reserved

Password:
Last login: Mon Jun 30 20:30:47 2014 from 150.123.148.239
Copyright (c) 2012 Cisco Systems, Inc. All rights Reserved

acs1/admin# exit
Connection to 192.168.1.55 closed.

CentOS-linux>ssh -m hmac-md5 -l admin 192.168.1.55
no matching mac found: client hmac-md5 server hmac-sha1
CentOS-linux>

 

Where did you that information from, some system scanners?

Hi, I ran a variation of cciesec2011's command with 8 hmac variations, the results indicate that all of the  encryption levels can be used.

echo | ssh -v -m hmac-sha1 admin@localhost 2>&1 | grep "kex"

 

I substituted -sha1 for md5 , ripemd160, sha1-96 , md5-96, sha2-256 , sha2-512 and umac-64@openssh.com

 

We are still trying to found out how to disable specific low encryption levels within the ACS GUI or command line.

 

Did you find a solution to this? I am trying to find out how to do this as well.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: