Re: how to enable CTR or GCM cipher mode encryption in cisco Prime

Mohammed Saleem · ‎02-10-2019

Hi,

As per the report generated by infosec . My cisco prime is having CBC mode ciphers which may allow an attacker to recover the plaintext message from the ciphertext.

Can some one hlep me to how can i disble CBC and enable CTR or GCM ciphers in my Cisco Prime V3.2

marce1000 · ‎02-10-2019

- Not possible,

M.

-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

Mohammed Saleem · ‎02-10-2019

Why not possible? These would be a solution for this. Just i want to know the reason marce.

marce1000 · ‎02-11-2019

>Why not possible? These would be a solution for this. Just i want to know the reason marce.

- Summarizing : Cisco Prime is considered to be an appliance albeit a VIrtual Machine or a physical appliance. An appliance offers services it was designed for but can not be altered. That doesn't mean that it is not aware of security issues and it can evolve or become better , more security aware in newer versions. The task is then to analyze the problem versus the latest version of Prime and or file a product enhancement request, if so desired.. If the problem is urgent a ticket can be opened at CISCO (TAC).

M.

-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

pieterh · ‎02-11-2019

look at this document

Cisco Prime Infrastructure 3.2 Common Criteria Configuration Guide

4.3 Restrict Web GUI Ciphers The TOE evaluated configuration allows only ECDHE and DHE ciphers to be available from the Web GUI. To enable only ECDHE and DHE ciphers, the administrator must run this command:
admin# ncs run tls-server-ciphers tls-ecdhe tls-dhe
The ciphers will be restricted to this list below:

o TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

o TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

o TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

o TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

o TLS_DHE_RSA_WITH_AES_256_CBC_SHA

o TLS_DHE_RSA_WITH_AES_128_CBC_SHA

o TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

o TLS_DHE_RSA_WITH_AES_128_CBC_SHA256

so you need the top cyphers setting?

Mohammed Saleem · ‎02-12-2019

Yes. I want to configure strong ciphers. Please find the below VA highlighted by My Infosec team.

"The SSH server is configured to support Cipher Block Chaining (CBC)
encryption. This may allow an attacker to recover the plaintext message
from the ciphertext.

Note that this plugin only checks for the options of the SSH server and
does not check for vulnerable software versions:

And Suggest.

pieterh · ‎02-12-2019

e document i referenced mentions:

Note: By default the TOE supports the following ciphersuites for the TLS client and is not configurable:

(same list as erlier post)

-> in 3.2 you cannot disable the CBC cyphers, they stay enabled!

So you can only pay attention that the client uses the GCM cypher to prevent attackers to intercept and "recover the plaintext"

the CBC options remain available, but you must not use them

just like having both telnet and ssh enabled, but only use ssh!

marce1000 · ‎02-12-2019

- And for your further information you can also list the available ciphers albeit weak or not in this or subsequent Prime versions with :

% nmap --script ssl-enum-ciphers -p 443 cisco-prime

M.

-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !