04-18-2019 11:38 AM
Hi,
Recently, we conducted an network-wide audit scan. Most of the results of this audit were easy to figure out; however, one switch in particular - a WS-C2960S-48FPS-L running IOS 12.2(55r)SE - was found to have several certificate errors that seem to be something that should be found on a firewall. The only thing I could relate these to were my crypto key configuration, which I increased from 1024 bits to 2048, and enabled SSHv2. I'm not sure if there is anything else I can do. Does anyone have any ideas what these mean and what else might need to be done?
* Certificate Subject CN Does Not Match the Entity Name (certificate-common-name-mismatch)
* TLS/SSL Server Supports DES and IDEA Cipher Suites (ssl-des-ciphers)
* Untrusted TLS/SSL server X.509 certificate (tls-untrusted-ca)
* MD5-based Signature in TLS/SSL Server X.509 Certificate (tls-server-cert-sig-alg-md5)
* TLS/SSL Birthday attacks on 64-bit block ciphers (SWEET32) (ssl-cve-2016-2183-sweet32)
* TLS/SSL Server Supports RC4 Cipher Algorithms (CVE-2013-2566) (rc4-cve-2013-2566)
* TLS/SSL Server is enabling the BEAST attack (ssl-cve-2011-3389-beast)
* Self-signed TLS/SSL certificate (ssl-self-signed-certificate)
* TLS/SSL Server Supports SSLv3 (sslv3-supported)
* TLS/SSL Server Supports The Use of Static Key Ciphers (ssl-static-key-ciphers)
* Weak Cryptographic Key (weak-crypto-key)
* TLS/SSL Server Supports 3DES Cipher Suite (ssl-3des-ciphers)
* TLS/SSL Server Does Not Support Any Strong Cipher Algorithms (ssl-only-weak-ciphers)
04-18-2019 02:02 PM
Do you really need the web-server on the switch? If not, disable it:
no ip http server no ip http secure-server
04-22-2019 02:51 PM
Got that one. Anything else?
04-24-2019 01:55 PM
All mentioned messages were about weak crypto in TLS/SSL. When the webserver is disabled, the vulnerabilities are not exploitable any more. When you need the webserver anytime in the future, you should upgrade the switch and configure your TLS-settings according to your security-policy.
04-19-2019 06:40 PM - edited 04-19-2019 06:41 PM
@macgyver0099_1 wrote:
12.2(55r)SE
That is not the IOS version but the bootstrap. What is the exact IOS version?
@macgyver0099_1 wrote:
what else might need to be done
Upgrade the firmware of the switch.
04-22-2019 02:51 PM
boot system disk0:/asa983-16-smp-k8.bin
boot system disk0:/asa982-20-smp-k8.bin
04-24-2019 01:52 PM
This is for an ASA Firewall, not for a switch ...
04-25-2019 07:41 AM
Many apologies. I was working on another issue while replying. Here's an example of one IOS:
SW Version: 12.2(55)SE5
SW Image: C2960S-UNIVERSALK9-M
Flash configuration: c2960s-universalk9-mz.122-55.SE5
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: