cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6157
Views
5
Helpful
6
Replies

SSH vulnerability

teohkokwei
Level 1
Level 1

Recently we have been warn by our security team for a SSH vulnerability been detected on our Cisco devices (Cisco catalyst 2960, 3560) using McAfee Foundstone.

Our ssh version is 2.0 and we did change the RSA key to 2048 but then the result still the same.

McAfee Foundstone result as below:

Vulnerability ID: 2363

Vulnerability Name: SSH2 Weak Key Exchange Algorithm

Common Vulnerabilities Exposures (CVE) ID : CVE-MAP-NOMATCH

Recommendation:The server should be configured not to support the diffie-hellman-group1-sha1 algorithm if possible. Consult your vendor's documentation.

Anyone could you please advise how to remediate this vulnerabilities

6 Replies 6

sathish s
Level 1
Level 1

Hi teohkokwei ,

we have a similiar issue with ssh in our network could you please let me know the action taken to overcome this prblm..

Thx/SS

ALIAOF_
Level 6
Level 6

I think in a situation like this best practices come in handy such as:

- Making sure SSH v2 is enabled

- Using 2048 instead of 1024

- Using ACL's for management SSH access

- Using central authentication and logging such as "TACACS+ or RADIUS"

- Syslog server

Good list, I would add specifying the ssh source address as well.


--
CCNP, CCIP, CCDP, CCNA: Security/Wireless
Blog: http://ccie-or-null.net/

-- CCNP, CCIP, CCDP, CCNA: Security/Wireless Blog: http://ccie-or-null.net/

Hi Ali,

Thanks for the quick response , let me explain my scenario . I have configured SSHv2 (points mentioned are covered )and its working properly . but my doubt is when these RSA will be exchanged and when diffie hellman keys exchanged.

This is what made me think about it . .. I have enabled ssh events logging but i am getting these in the log buffer

Jan  28 03:16:39.245 IST: %SSH-5-SSH2_CLOSE: SSH2 Session from x.x.x.x (tty =  0) for user 'ABC' using crypto cipher 'aes128-cbc', hmac 'hmac-sha1'  closed

Jan  28 12:16:15.045 IST: %SSH-5-SSH2_SESSION: SSH2 Session request from  x.x.x.x (tty = 0) using crypto cipher 'aes128-cbc', hmac 'hmac-sha1'  Succeeded

Jan  28 12:16:15.261 IST: %SSH-5-SSH2_USERAUTH: User 'ABC' authentication  for SSH2 Session from x.x.x.x (tty = 0) using crypto cipher  'aes128-cbc', hmac 'hmac-sha1' Succeeded

Jan  28 03:16:39.245 IST: %SSH-5-SSH2_CLOSE: SSH2 Session from x.x.x.x (tty =  0) for user 'ABC' using crypto cipher 'aes128-cbc', hmac 'hmac-sha1'  closed

so as per the log message its using  'aes128-cbc', hmac 'hmac-sha1'   that means its using DH keys ...then to test

I removed RSA keys ( crypto key zerioze rsa) but SSH was disabled as expected so ... I think SSHv2 using RSA but is it using DH also ?

I am not able to understand the sequence .....

Brenda Brown
Level 1
Level 1

Did anyone have a solution to this issue?

Network713
Level 1
Level 1

Make sure you can open another ssh session into your device after you put the command in so you don't lock yourself out.

ip ssh serv alg kex diffie-hellman-group14-sha1

Reccomend to do this also:
ip ssh time-out 15
ip ssh authentication-retries 2
ip ssh version 2
ip ssh server algorithm mac hmac-sha2-256   
ip ssh server algorithm encryption aes256-ctr

Review Cisco Networking for a $25 gift card