Did anyone have a solution to

teohkokwei · ‎09-28-2011

Recently we have been warn by our security team for a SSH vulnerability been detected on our Cisco devices (Cisco catalyst 2960, 3560) using McAfee Foundstone.

Our ssh version is 2.0 and we did change the RSA key to 2048 but then the result still the same.

McAfee Foundstone result as below:

Vulnerability ID: 2363

Vulnerability Name: SSH2 Weak Key Exchange Algorithm

Common Vulnerabilities Exposures (CVE) ID : CVE-MAP-NOMATCH

Recommendation:The server should be configured not to support the diffie-hellman-group1-sha1 algorithm if possible. Consult your vendor's documentation.

Anyone could you please advise how to remediate this vulnerabilities

sathish s · ‎12-20-2012

Hi teohkokwei ,

we have a similiar issue with ssh in our network could you please let me know the action taken to overcome this prblm..

Thx/SS

ALIAOF_ · ‎12-20-2012

I think in a situation like this best practices come in handy such as:

- Making sure SSH v2 is enabled

- Using 2048 instead of 1024

- Using ACL's for management SSH access

- Using central authentication and logging such as "TACACS+ or RADIUS"

- Syslog server

SOcchiogrosso · ‎12-20-2012

Good list, I would add specifying the ssh source address as well.

--
CCNP, CCIP, CCDP, CCNA: Security/Wireless
Blog: http://ccie-or-null.net/

-- CCNP, CCIP, CCDP, CCNA: Security/Wireless Blog: http://ccie-or-null.net/

sathish s · ‎12-20-2012

Hi Ali,

Thanks for the quick response , let me explain my scenario . I have configured SSHv2 (points mentioned are covered )and its working properly . but my doubt is when these RSA will be exchanged and when diffie hellman keys exchanged.

This is what made me think about it . .. I have enabled ssh events logging but i am getting these in the log buffer

Jan 28 03:16:39.245 IST: %SSH-5-SSH2_CLOSE: SSH2 Session from x.x.x.x (tty = 0) for user 'ABC' using crypto cipher 'aes128-cbc', hmac 'hmac-sha1' closed

Jan 28 12:16:15.045 IST: %SSH-5-SSH2_SESSION: SSH2 Session request from x.x.x.x (tty = 0) using crypto cipher 'aes128-cbc', hmac 'hmac-sha1' Succeeded

Jan 28 12:16:15.261 IST: %SSH-5-SSH2_USERAUTH: User 'ABC' authentication for SSH2 Session from x.x.x.x (tty = 0) using crypto cipher 'aes128-cbc', hmac 'hmac-sha1' Succeeded

Jan 28 03:16:39.245 IST: %SSH-5-SSH2_CLOSE: SSH2 Session from x.x.x.x (tty = 0) for user 'ABC' using crypto cipher 'aes128-cbc', hmac 'hmac-sha1' closed

so as per the log message its using 'aes128-cbc', hmac 'hmac-sha1' that means its using DH keys ...then to test

I removed RSA keys ( crypto key zerioze rsa) but SSH was disabled as expected so ... I think SSHv2 using RSA but is it using DH also ?

I am not able to understand the sequence .....

Brenda Brown · ‎06-24-2014

Did anyone have a solution to this issue?

Network713 · ‎11-16-2022

Make sure you can open another ssh session into your device after you put the command in so you don't lock yourself out.

ip ssh serv alg kex diffie-hellman-group14-sha1

Reccomend to do this also:
ip ssh time-out 15
ip ssh authentication-retries 2
ip ssh version 2
ip ssh server algorithm mac hmac-sha2-256
ip ssh server algorithm encryption aes256-ctr