Dear Experts,
We currently have Cisco 3925E router and using (C3900e-UNIVERSALK9-M), Version 15.1(3)T2, RELEASE SOFTWARE (fc1). In order to pass PCI DSS metrics we need to pass their vulnerability test and nmap scan is showing “diffie-hellman-group1-sha1“ vulnerability in the SSH (output below)
nmap -Pn xx.xx.xx.xx --script ssh2-enum-algos -p 22
Nmap scan report for (xx.xx.xx.xx)
Host is up (0.062s latency).
PORT STATE SERVICE
22/tcp open ssh
| ssh2-enum-algos:
| kex_algorithms (3)
| diffie-hellman-group-exchange-sha1
| diffie-hellman-group14-sha1
| diffie-hellman-group1-sha1
...
Can you please confirm how can i resolve this vulnerability. If i have to upgrade the IOS then please specify which version should i opt. Much appreciated.