Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1324
Views
0
Helpful
2
Replies

Ethical Hacking Vulnerability Remediations

Go to solution
macgyver0099_1
Level 1
Level 1

‎03-17-2022 02:31 PM

Hello,

 

We had an internal scan of our network by an Ethical Hacking team.  They identified several vulnerabilities that needed to be fixed.  I got a hold of Cisco who then recommended an IOS upgrade for our switch. After I upgraded the switch, another scan was performed, and several items were identified as vulnerable.   I could figure out how to fix several of these items. Specifically, the following items showed up on the report that I couldn't remediate. My question, is what do I need to do, if anything, to fix the identified vulnerabilities using the recommended IOS? Or does the switch just need to be upgraded, and if so, to what model?

 

SF302-08PP-K9 - Software Version 1.4.11.5 * X.509

 

*Server Certificate Is Invalid/Expired (tls-server-cert-expired)

* TLS/SSL Server Supports The Use of Static Key Ciphers (ssl-static-key-ciphers)

* SHA-1-based Signature in TLS/SSL Server X.509 Certificate (tls-server-cert-sig-alg-sha1)

* Weak Cryptographic Key (weak-crypto-key)

* TLS/SSL Server Does Not Support Any Strong Cipher Algorithms (ssl-only-weak-ciphers)

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Leo Laohoo
Hall of Fame
Hall of Fame

‎03-17-2022 04:06 PM

@macgyver0099_1 wrote:

I got a hold of Cisco who then recommended an IOS upgrade for our switch.

This response from TAC is neither correct nor wrong. 

The model of the switch is already past end-of-sale date (04 October 2018) and the last day for software support is 04 October 2019.  

The firmware version 1.4.11.5 was released back in June 2020.  So this means: 

  1. 1.4.11.5 is the "LAST" firmware.  No more firmware to be expected.  
  2. Any new software vulnerabilities discovered since then is not fixed by this "latest" version.  

The only solution that I can see is a hardware upgrade of the switch to something newer.

 

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Leo Laohoo
Hall of Fame
Hall of Fame

‎03-17-2022 04:06 PM

@macgyver0099_1 wrote:

I got a hold of Cisco who then recommended an IOS upgrade for our switch.

This response from TAC is neither correct nor wrong. 

The model of the switch is already past end-of-sale date (04 October 2018) and the last day for software support is 04 October 2019.  

The firmware version 1.4.11.5 was released back in June 2020.  So this means: 

  1. 1.4.11.5 is the "LAST" firmware.  No more firmware to be expected.  
  2. Any new software vulnerabilities discovered since then is not fixed by this "latest" version.  

The only solution that I can see is a hardware upgrade of the switch to something newer.

 

0 Helpful

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame

‎03-18-2022 09:34 AM

Cannot say for sure, but it's possible some, maybe even all, of those vulnerabilities might be "plugged" by disabling features and/or using interface ACLs to block some specific feature access.  (I'm not current on this software, which is why I'm unsure.)

That noted, even if you can mitigate all those issues, as @Leo Laohoo notes, new security issues will not be fixed, or possibly, even noted, by Cisco, as an issue for EoL software.  So, a newer platform should very much be considered, as suggested by Leo, if on-going security, is important to you.

 

0 Helpful
Customers Also Viewed These Support Documents