Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2111
Views
10
Helpful
7
Replies

Ethical Intruder Switch Vulnerability

macgyver0099_1
Level 1
Level 1

‎04-18-2019 11:38 AM

Hi,

 

Recently, we conducted an network-wide audit scan.  Most of the results of this audit were easy to figure out; however, one switch in particular - a WS-C2960S-48FPS-L running IOS 12.2(55r)SE - was found to have several certificate errors that seem to be something that should be found on a firewall.  The only thing I could relate these to were my crypto key configuration, which I increased from 1024 bits to 2048, and enabled SSHv2.  I'm not sure if there is anything else I can do.  Does anyone have any ideas what these mean and what else might need to be done?

 

* Certificate Subject CN Does Not Match the Entity Name (certificate-common-name-mismatch)

* TLS/SSL Server Supports DES and IDEA Cipher Suites (ssl-des-ciphers)

* Untrusted TLS/SSL server X.509 certificate (tls-untrusted-ca)

* MD5-based Signature in TLS/SSL Server X.509 Certificate (tls-server-cert-sig-alg-md5)

* TLS/SSL Birthday attacks on 64-bit block ciphers (SWEET32) (ssl-cve-2016-2183-sweet32)

* TLS/SSL Server Supports RC4 Cipher Algorithms (CVE-2013-2566) (rc4-cve-2013-2566)

* TLS/SSL Server is enabling the BEAST attack (ssl-cve-2011-3389-beast)

* Self-signed TLS/SSL certificate (ssl-self-signed-certificate)

* TLS/SSL Server Supports SSLv3 (sslv3-supported)

* TLS/SSL Server Supports The Use of Static Key Ciphers (ssl-static-key-ciphers)

* Weak Cryptographic Key (weak-crypto-key)

* TLS/SSL Server Supports 3DES Cipher Suite (ssl-3des-ciphers)

* TLS/SSL Server Does Not Support Any Strong Cipher Algorithms (ssl-only-weak-ciphers)

1 person had this problem
Labels:
0 Helpful
7 Replies 7

Karsten Iwen
VIP
VIP

‎04-18-2019 02:02 PM

Do you really need the web-server on the switch? If not, disable it:

no ip http server
no ip http secure-server

macgyver0099_1
Level 1
Level 1
In response to Karsten Iwen

‎04-22-2019 02:51 PM

Got that one.  Anything else?

0 Helpful

Karsten Iwen
VIP
VIP
In response to macgyver0099_1

‎04-24-2019 01:55 PM

All mentioned messages were about weak crypto in TLS/SSL. When the webserver is disabled, the vulnerabilities are not exploitable any more. When you need the webserver anytime in the future, you should upgrade the switch and configure your TLS-settings according to your security-policy.

Leo Laohoo
Hall of Fame
Hall of Fame

‎04-19-2019 06:40 PM - edited ‎04-19-2019 06:41 PM

@macgyver0099_1 wrote:

12.2(55r)SE

That is not the IOS version but the bootstrap.  What is the exact IOS version?

@macgyver0099_1 wrote:

what else might need to be done

Upgrade the firmware of the switch.

0 Helpful

macgyver0099_1
Level 1
Level 1
In response to Leo Laohoo

‎04-22-2019 02:51 PM

boot system disk0:/asa983-16-smp-k8.bin
boot system disk0:/asa982-20-smp-k8.bin

0 Helpful

Karsten Iwen
VIP
VIP
In response to macgyver0099_1

‎04-24-2019 01:52 PM

This is for an ASA Firewall, not for a switch ...

0 Helpful

macgyver0099_1
Level 1
Level 1
In response to Karsten Iwen

‎04-25-2019 07:41 AM

Many apologies.  I was working on another issue while replying.  Here's an example of one IOS:

 

SW Version:  12.2(55)SE5

SW Image:     C2960S-UNIVERSALK9-M

Flash configuration:  c2960s-universalk9-mz.122-55.SE5

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card