cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

SSH vulnerability

teohkokwei
Beginner
Beginner

Recently we have been warn by our security team for a SSH vulnerability been detected on our Cisco devices (Cisco catalyst 2960, 3560) using McAfee Foundstone.

Our ssh version is 2.0 and we did change the RSA key to 2048 but then the result still the same.

McAfee Foundstone result as below:

Vulnerability ID: 2363

Vulnerability Name: SSH2 Weak Key Exchange Algorithm

Common Vulnerabilities Exposures (CVE) ID : CVE-MAP-NOMATCH

Recommendation:The server should be configured not to support the diffie-hellman-group1-sha1 algorithm if possible. Consult your vendor's documentation.

Anyone could you please advise how to remediate this vulnerabilities

5 REPLIES 5

sathish s
Beginner
Beginner

Hi teohkokwei ,

we have a similiar issue with ssh in our network could you please let me know the action taken to overcome this prblm..

Thx/SS

ALIAOF_
Frequent Contributor
Frequent Contributor

I think in a situation like this best practices come in handy such as:

- Making sure SSH v2 is enabled

- Using 2048 instead of 1024

- Using ACL's for management SSH access

- Using central authentication and logging such as "TACACS+ or RADIUS"

- Syslog server

Good list, I would add specifying the ssh source address as well.


--
CCNP, CCIP, CCDP, CCNA: Security/Wireless
Blog: http://ccie-or-null.net/

-- CCNP, CCIP, CCDP, CCNA: Security/Wireless Blog: http://ccie-or-null.net/

Hi Ali,

Thanks for the quick response , let me explain my scenario . I have configured SSHv2 (points mentioned are covered )and its working properly . but my doubt is when these RSA will be exchanged and when diffie hellman keys exchanged.

This is what made me think about it . .. I have enabled ssh events logging but i am getting these in the log buffer

Jan  28 03:16:39.245 IST: %SSH-5-SSH2_CLOSE: SSH2 Session from x.x.x.x (tty =  0) for user 'ABC' using crypto cipher 'aes128-cbc', hmac 'hmac-sha1'  closed

Jan  28 12:16:15.045 IST: %SSH-5-SSH2_SESSION: SSH2 Session request from  x.x.x.x (tty = 0) using crypto cipher 'aes128-cbc', hmac 'hmac-sha1'  Succeeded

Jan  28 12:16:15.261 IST: %SSH-5-SSH2_USERAUTH: User 'ABC' authentication  for SSH2 Session from x.x.x.x (tty = 0) using crypto cipher  'aes128-cbc', hmac 'hmac-sha1' Succeeded

Jan  28 03:16:39.245 IST: %SSH-5-SSH2_CLOSE: SSH2 Session from x.x.x.x (tty =  0) for user 'ABC' using crypto cipher 'aes128-cbc', hmac 'hmac-sha1'  closed

so as per the log message its using  'aes128-cbc', hmac 'hmac-sha1'   that means its using DH keys ...then to test

I removed RSA keys ( crypto key zerioze rsa) but SSH was disabled as expected so ... I think SSHv2 using RSA but is it using DH also ?

I am not able to understand the sequence .....

Brenda Brown
Beginner
Beginner

Did anyone have a solution to this issue?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: