cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
641
Views
0
Helpful
5
Replies

Security vulnerability issue in Nexue 9300

Leftz
Level 4
Level 4

Hi Nexus9300 has security vulnerability issue based on Qualys report. Please see the below. Looks like the issue is related with cipher and ssh. I tried to find commands to change it. but I cannot find it. Anyone has suggestion for this issue? Thank you

 

192.168.8.8 IP Cisco Nexus Switch host scanned, found vuln 38739 Deprecated SSH Cryptographic Settings Active Vuln 3 22 tcp 44738.85147 44920.84907 33 0 6.4 (AV:N/AC:L/Au:N/C:P/I:P/A:N) 4.7 (E:U/RL:W/RC:UC) Asset Group: Network Devices - US Network Devices - 4050, Collateral Damage Potential: None, Target Distribution: None, Confidentiality Requirement: , Integrity Requirement: , Availability Requirement: 5.3 6.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) 5.3 (E:U/RL:W/RC:U) "Avoid using deprecated cryptographic settings.
Use best practices when configuring SSH.
Refer to Security of Interactive and Automated Access Management Using Secure Shell (SSH) (https://protect-us.mimecast.com/s/BQIdC1wvjMupN0D1UG9SYb?domain=csrc.nist.gov) .
Settings currently considered deprecated:
<DL>
<DT>Ciphers using CFB of OFB</DT>
<DD>Very uncommon, and deprecated because of weaknesses compared to newer cipher chaining modes such as CTR or GCM</DD>
<DT>RC4 cipher (arcfour, arcfour128, arcfour256)</DT>
<DD>The RC4 cipher has a cryptographic bias and is no longer considered secure</DD>
<DT>Ciphers with a 64-bit block size (DES, 3DES, Blowfish, IDEA, CAST)</DT>
<DD>Ciphers with a 64-bit block size may be vulnerable to birthday attacks (Sweet32)</DD>
<DT>Key exchange algorithms using DH group 1 (diffie-hellman-group1-sha1, gss-group1-sha1-*)</DT>
<DD>DH group 1 uses a 1024-bit key which is considered too short and vulnerable to Logjam-style attacks</DD>
<DT>Key exchange algorithm ""rsa1024sha1""</DT>
<DD>Very uncommon, and deprecated because of the short RSA key size</DD>
<DT>MAC algorithm ""umac-32""</DT>
<DD>Very uncommon, and deprecated because of the very short MAC length</DD>
<DT>Cipher ""none""</DT>
<DD>This is available only in SSHv1</DD>
</DL>" "Type Name
key exchange diffie-hellman-group1-sha1#" yes General remote services Network Devices - 

5 Replies 5

Reza Sharifi
Hall of Fame
Hall of Fame

Hi,

The article is from 2015. Contact Cisco, as I the vulnerability should have been addressed by now.

HTH

Leftz
Level 4
Level 4

Why cisco does not publish this kind of documnet


@Leftz wrote:
Why cisco does not publish this kind of documnet

Cisco Security Advisories

Leftz
Level 4
Level 4

its a good info. but I want to know how to disable lower version of tls in N9300. does cisco has this kind of documents? Thanks

I am not sure if you can find any public document from Cisco showing how to disable that. I think, the best course of action is to open a ticket and have Cisco figure this out. Sometimes, they have internal documents that can be helpful in resolving this type of issues. 

HTH

Review Cisco Networking for a $25 gift card