C2960X Switch Weak MAC Algorithms

test52 · ‎05-07-2024

We performed vulnerability scan on our C2960X switches and found the following message:

Checks the supported MAC algorithms (client-to-server and
server-to-client) of the remote SSH server.

Currently weak MAC algorithms are defined as the following:
- MD5 based algorithms

- 96-bit based algorithms

- none algorithm

We saw that the output of MAC Algorithms in "show ip ssh" is hmac-sha1, hmac-sha1-96.

Is there firmware versions that support hmac-sha2 for C2960X switch? If not, should we remove hmac-sha1-96 from the list of MAC algorithms by the command "ip ssh server algorithm mac hmac-sha1"? Our current firmware version is 15.0(2a)EX5, model is WS-C2960X-24TS-L.

DanielP211 · ‎05-07-2024

Hello!

I would definatly upgrade to the recommended version 15.2.7E9. Your version is very old. I cheched the version 15.2.7(E7) which I have and the supported algorithms for MAC are:
MAC Algorithms:hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha1-96

BR

****Kindly rate all useful posts*****

C2960X Switch Weak MAC Algorithms

SSH Weak MAC Algorithms Enabled

SSH Weak Key Exchange Algorithms Enabled

Cisco Switch - SSH version 2 - MAC Algorithms

catalyst switches SSH Weak MAC Algorithms

November 21st: Weak ciphers being disabled for Umbrella and OpenDNS