Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
289
Views
0
Helpful
1
Replies

cisco WS-C3650-24TS SSH Weak MAC Algorithms Enabled

johntug
Level 1
Level 1

‎02-05-2024 08:15 AM

Hi,

We received a nessus scan regarding SSH Weak MAC Algorithms Enabled. Would like to ask how to remediate it?

Below are the information:

Model: cisco WS-C3650-24TS (MIPS)

Switch Ports Model SW Version SW Image Mode
------ ----- ----- ---------- ---------- ----
* 1 28 WS-C3650-24TS 16.12.10 CAT3K_CAA-UNIVERSALK9 INSTALL

#show ip ssh
SSH Enabled - version 2.0
Authentication methods:publickey,keyboard-interactive,password
Authentication Publickey Algorithms:x509v3-ssh-rsa,ssh-rsa,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,x509v3-ecdsa-sha2-nistp256,x509v3-ecdsa-sha2-nistp384,rsa-sha2-256,rsa-sha2-512
Hostkey Algorithms:x509v3-ssh-rsa,rsa-sha2-512,rsa-sha2-256,ssh-rsa
Encryption Algorithms:aes128-gcm,aes256-gcm,aes128-ctr,aes192-ctr,aes256-ctr
MAC Algorithms:hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha1-96
KEX Algorithms:ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 2048 bits

I browsed other forum and it seems the solution is below:

#ip ssh server algorithm encryption aes256-ctr aes192-ctr aes128-ctr

1. is this the right solution?

2. If this is the right command what parameter should i include after encryption based on the show ip ssh above?

3. is there a command to test if the fix is applied?

 

Thank you

John

 

Labels:
0 Helpful
1 Reply 1

M02@rt37
VIP
VIP

‎02-05-2024 09:05 AM - edited ‎02-05-2024 09:06 AM

Hello @johntug 

1.Yes, this command restricts the SSH server to use more secure encryption algorithms and helps mitigate the vulnerability associated with weak MAC.

2.The command you provided already includes the appropriate encryption algorithms. The output of 'show ip ssh' indicates that your switch supports AES-128-CTR, AES-192-CTR, and AES-256-CTR for encryption. These are strong algorithms, and the command is correctly configured.

3.Unfortunately, there isn't a direct command to test the fix, but you can verify that the changes have taken effect by executing the 'show ip ssh' command again. Ensure that the output reflects the updated list of encryption algorithms.

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card