SSL Medium Strength Cipher Suites Supported vulnerability

poirot1967 · ‎02-19-2010

Kind of an odd thing. We just had a vulnerability scan and a 2960 got pinged for supporting medium strength SSL cipher suites. I say strange cause I have 3 others that have the same IOS image and they didn't get pinged. Swap out the management IP address and they are all the same. They are all running 12.2(52)SE C2960-LANBASEK9-M, with a 768 bit keys. Here is the text of the vulnerability :

Synopsis : The remote service supports the use of medium strength SSL ciphers. Description : The remote host supports the use of SSL ciphers that offer medium strength encryption, which we currently regard as those with key lengths at least 56 bits and less than 112 bits.

Reconfigure the affected application if possible to avoid use of medium strength ciphers. / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) Plugin output : Here are the medium strength SSL ciphers supported by the remote server : Medium Strength Ciphers (>= 56-bit and < 112-bit key) SSLv3 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES(56) Mac=SHA1 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1 TLSv1 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES(56) Mac=SHA1 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1 The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag}

Can someone point me in the right direction on how to re-configure the switch to pass this test?

Thanks

Poirot

Panos Kampanakis · ‎02-22-2010

I believe the alert there is because you are using a 768 key which was broken recently (Jan 2010 a paper was published on it with results from efforts that took 4 years to break 768 keys). 768bit RSA keys is not considered secure enough any more.

I would suggest you to configure keys of 1024 on these switches and try again.

I hope it helps.

PK

poirot1967 · ‎02-22-2010

Thanks for the reply. I zeroed the key of one of switches and started a scan on it. I will let you know if that fixes it.

Poirot

poirot1967 · ‎02-23-2010

I zeroed the RSA key and generated a 1024 bit replacement. Saved it, restarted the secure http server, and ran the Gideon scan against it. I am still getting the same vulnerability. Is there a way to turn off an individual cypher suite running in IOS?

Poirot

Panos Kampanakis · ‎02-23-2010

You cannot disable ciphersuites.

Try if "ip ssh version 2" helps.

Also check the difference in ssh and crypto key between the routers that don't see the vulnerability reports.

PK

poojaryp1974 · ‎05-26-2021

Hi Panos,

I iam facing the same issue in switch.what will be solution.

I am looking forward your reply.

Thanks,

Prashanth

dfultz · ‎03-24-2010

Have the exact same issue.

I have 1024 crypto keys and ip ssh version 2 in the config.

Still shows up a vulnerability after re-scanning (using Tenable Nessus).

This happens on 2960, 3550, & 3750's.

poirot1967 · ‎03-24-2010

Yeah. I told our ISSO that it was something that it would have to be deemed an acceptable risk as there was not a 'fix' for it.

Poirot