Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
14647
Views
6
Helpful
7
Replies

Fix for CVE-2016-2183 (SWEET32) vulnerability

gryffindor
Level 1
Level 1

‎10-14-2021 04:07 AM

Our vulnerability scan found that all 4948 and 3750 switches are having a vulnerability of "SSH Birthday attacks on 64-bit block ciphers (SWEET32)".

 

However, the other models like 3650/3850/4500 are not having this vulnerability. Could anyone help me, why only a few models are affected and what can I do to fix this.

 

The bug search on cisco suggested there is no workaround which seems strange - https://quickview.cloudapps.cisco.com/quickview/bug/CSCvf45855

Labels:
7 Replies 7

Leo Laohoo
Hall of Fame
Hall of Fame

‎10-14-2021 04:30 AM

@gryffindor wrote:

what can I do to fix this

Upgrade the firmware.

0 Helpful

gryffindor
Level 1
Level 1
In response to Leo Laohoo

‎10-14-2021 04:38 AM

Hi Leo,

 

switch is already on recommended ios i.e. Version 15.2(4)E10. 

I was wondering, if there were some config changes that can be made.

0 Helpful

Leo Laohoo
Hall of Fame
Hall of Fame
In response to gryffindor

‎10-14-2021 04:50 AM - edited ‎10-14-2021 04:52 AM

@gryffindor wrote:

if there were some config changes that can be made.

Compared to what version? 

Seriously, I'd be more interested to know if VStack is still enabled or not.

0 Helpful

Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to gryffindor

‎10-14-2021 05:09 AM

Hello @gryffindor ,

I have tried to use the following command

 

switch(config)#ip ssh client algorithm encryption ?
  3des-cbc    Three-key 3DES in CBC mode      
  aes128-cbc  AES with 128-bit key in CBC mode    
  aes128-ctr  AES with 128-bit key in CTR mode    
  aes192-cbc  AES with 192-bit key in CBC mode    
  aes192-ctr  AES with 192-bit key in CTR mode    
  aes256-cbc  AES with 256-bit key in CBC mode    
  aes256-ctr  AES with 256-bit key in CTR mode  

 

 

 

I have used

ip ssh client algo aes256-ctr .

But after some tests I have seen it is not really effective as it does not prevent the use of DES or 3DES cypher so I would say there is no workaround.

 

Hope to help

Giuseppe

 

0 Helpful

gryffindor
Level 1
Level 1
In response to Giuseppe Larosa

‎10-14-2021 05:42 AM

Hi Giuseppe,

 

Thanks. I also tried the same but it didn't help.

 

I had one more query if you could help. I was looking to fix weak key exchange algorithms on my switch. I could do it on 3650 switch with command 

ip ssh server algorithm kex diffie-hellman-group14-sha1

but this command is not accepted on 4948 and 3750 switches. Is there any thing that I am missing.

0 Helpful

jdonovan31
Level 1
Level 1
In response to Giuseppe Larosa

‎05-22-2023 02:23 AM

As far as weak ciphers, disable SSHv1 and TLS versions 1.0/1.1. To disable SSHv1 and remove Cipher Block Chain and 3Des ciphers you should be able to do the following in Global Config mod:

ip ssh version 2 !disable V1

ip ssh server algorithm encryption aes256-ctr aes128-ctr

ip ssh server algorithm mac hmac-sha1

no ip ssh server algorithm mac hmac-sha1-96

 

OmkarUgale
Level 1
Level 1
In response to jdonovan31

‎08-28-2023 11:15 AM

Has this worked? I'm also facing this issue on my 3750.

0 Helpful
Customers Also Viewed These Support Documents