cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
673
Views
4
Helpful
4
Replies

Vulnerability Assessment SSLV3 Poodle attack

haydn.tickner5
Level 1
Level 1

Hi All

 

I am way out of my depth on this one, We have had a Vulnerability Assessment done with a result coming back that we have SSLv3 enabled, which also supports weak encryption and also vulnerable to POODLE attack. And finally a TLS protocol session renegotiation security vulnerability.

 

Now I'm using a Cisco WS-2960-s running 12.2.(58)SE2, now I understand that there is a new update for this device however I'm unaware how to find out in my config how SSLV is enabled and what are the consequences for moving to TLS1.2. Now we do have HTTP disabled and HTTPS enabled. 

 

During my investigation I can the latest update which is 15.0.2-SE8 which is available and providing I'm under the right section I have found this from the CISCO site saying that 15.0.2-SE8 is a listed "known fixed release" https://tools.cisco.com/bugsearch/bug/CSCur23656

 

Is anyone able to advise or post any information on my situation? 

4 Replies 4

It's not only that newer releases include fixes for this vulnerability, with the actual software you can also make sure that no older unsecure crypto is used:

switch(config)#ip http secure-ciphersuite ?
  3des-ede-cbc-sha     Encryption type tls_rsa_with_3des_ede_cbc_sha ciphersuite
  aes-128-cbc-sha      Encryption type tls_rsa_with_aes_cbc_128_sha ciphersuite
  aes-256-cbc-sha      Encryption type tls_rsa_with_aes_cbc_256_sha ciphersuite
  des-cbc-sha          Encryption type tls_rsa_with_des_cbc_sha ciphersuite
  dhe-aes-128-cbc-sha  Encryption type tls_dhe_rsa_with_aes_128_cbc_sha ciphersuite
  dhe-aes-256-cbc-sha  Encryption type tls_dhe_rsa_with_aes_256_cbc_sha ciphersuite
  rc4-128-md5          Encryption type tls_rsa_with_rc4_128_md5 ciphersuite
  rc4-128-sha          Encryption type tls_rsa_with_rc4_128_sha ciphersuite

Here you can make sure that no DES/RC4 and perhaps also no 3DES is included.

Hi, thanks for the post that command had really helped could not find what I was looking for command wise, when you it will fix the issues will this do this automatically to use TLS1.2 or is there further steps I need to take to enable TLS1.2? Never done this before, sorry.

I'm not yet aware of a way to force TLS1.2. Sadly, Cisco is/was quite slow in adapting TLS1.2.

Hi thanks for the response much appreciated.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: