02-10-2019 04:45 AM - edited 03-08-2019 05:18 PM
Hi,
As per the report generated by infosec . My cisco prime is having CBC mode ciphers which may allow an attacker to recover the plaintext message from the ciphertext.
Can some one hlep me to how can i disble CBC and enable CTR or GCM ciphers in my Cisco Prime V3.2
02-10-2019 05:26 AM
- Not possible,
M.
02-10-2019 08:05 AM
Why not possible? These would be a solution for this. Just i want to know the reason marce.
02-11-2019 03:06 AM
>Why not possible? These would be a solution for this. Just i want to know the reason marce.
- Summarizing : Cisco Prime is considered to be an appliance albeit a VIrtual Machine or a physical appliance. An appliance offers services it was designed for but can not be altered. That doesn't mean that it is not aware of security issues and it can evolve or become better , more security aware in newer versions. The task is then to analyze the problem versus the latest version of Prime and or file a product enhancement request, if so desired.. If the problem is urgent a ticket can be opened at CISCO (TAC).
M.
02-11-2019 11:30 PM - edited 02-11-2019 11:36 PM
look at this document
Cisco Prime Infrastructure 3.2 Common Criteria Configuration Guide
4.3 Restrict Web GUI Ciphers The TOE evaluated configuration allows only ECDHE and DHE ciphers to be available from the Web GUI. To enable only ECDHE and DHE ciphers, the administrator must run this command:
admin# ncs run tls-server-ciphers tls-ecdhe tls-dhe
The ciphers will be restricted to this list below:
o TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
o TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
o TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
o TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
o TLS_DHE_RSA_WITH_AES_256_CBC_SHA
o TLS_DHE_RSA_WITH_AES_128_CBC_SHA
o TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
o TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
so you need the top cyphers setting?
02-12-2019 02:55 AM
Yes. I want to configure strong ciphers. Please find the below VA highlighted by My Infosec team.
"The SSH server is configured to support Cipher Block Chaining (CBC)
encryption. This may allow an attacker to recover the plaintext message
from the ciphertext.
Note that this plugin only checks for the options of the SSH server and
does not check for vulnerable software versions:
And Suggest.
02-12-2019 03:05 AM
e document i referenced mentions:
Note: By default the TOE supports the following ciphersuites for the TLS client and is not configurable:
(same list as erlier post)
-> in 3.2 you cannot disable the CBC cyphers, they stay enabled!
So you can only pay attention that the client uses the GCM cypher to prevent attackers to intercept and "recover the plaintext"
the CBC options remain available, but you must not use them
just like having both telnet and ssh enabled, but only use ssh!
02-12-2019 03:08 AM
- And for your further information you can also list the available ciphers albeit weak or not in this or subsequent Prime versions with :
% nmap --script ssl-enum-ciphers -p 443 cisco-prime
M.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide