As per the report generated by infosec . My cisco prime is having CBC mode ciphers which may allow an attacker to recover the plaintext message from the ciphertext.
Can some one hlep me to how can i disble CBC and enable CTR or GCM ciphers in my Cisco Prime V3.2
>Why not possible? These would be a solution for this. Just i want to know the reason marce.
- Summarizing : Cisco Prime is considered to be an appliance albeit a VIrtual Machine or a physical appliance. An appliance offers services it was designed for but can not be altered. That doesn't mean that it is not aware of security issues and it can evolve or become better , more security aware in newer versions. The task is then to analyze the problem versus the latest version of Prime and or file a product enhancement request, if so desired.. If the problem is urgent a ticket can be opened at CISCO (TAC).
look at this document
4.3 Restrict Web GUI Ciphers The TOE evaluated configuration allows only ECDHE and DHE ciphers to be available from the Web GUI. To enable only ECDHE and DHE ciphers, the administrator must run this command:
admin# ncs run tls-server-ciphers tls-ecdhe tls-dhe
The ciphers will be restricted to this list below:
so you need the top cyphers setting?
Yes. I want to configure strong ciphers. Please find the below VA highlighted by My Infosec team.
"The SSH server is configured to support Cipher Block Chaining (CBC)
encryption. This may allow an attacker to recover the plaintext message
from the ciphertext.
Note that this plugin only checks for the options of the SSH server and
does not check for vulnerable software versions:
e document i referenced mentions:
Note: By default the TOE supports the following ciphersuites for the TLS client and is not configurable:
(same list as erlier post)
-> in 3.2 you cannot disable the CBC cyphers, they stay enabled!
So you can only pay attention that the client uses the GCM cypher to prevent attackers to intercept and "recover the plaintext"
the CBC options remain available, but you must not use them
just like having both telnet and ssh enabled, but only use ssh!
- And for your further information you can also list the available ciphers albeit weak or not in this or subsequent Prime versions with :
% nmap --script ssl-enum-ciphers -p 443 cisco-prime