I am way out of my depth on this one, We have had a Vulnerability Assessment done with a result coming back that we have SSLv3 enabled, which also supports weak encryption and also vulnerable to POODLE attack. And finally a TLS protocol session renegotiation security vulnerability.
Now I'm using a Cisco WS-2960-s running 12.2.(58)SE2, now I understand that there is a new update for this device however I'm unaware how to find out in my config how SSLV is enabled and what are the consequences for moving to TLS1.2. Now we do have HTTP disabled and HTTPS enabled.
During my investigation I can the latest update which is 15.0.2-SE8 which is available and providing I'm under the right section I have found this from the CISCO site saying that 15.0.2-SE8 is a listed "known fixed release" https://tools.cisco.com/bugsearch/bug/CSCur23656
Is anyone able to advise or post any information on my situation?
It's not only that newer releases include fixes for this vulnerability, with the actual software you can also make sure that no older unsecure crypto is used:
switch(config)#ip http secure-ciphersuite ? 3des-ede-cbc-sha Encryption type tls_rsa_with_3des_ede_cbc_sha ciphersuite aes-128-cbc-sha Encryption type tls_rsa_with_aes_cbc_128_sha ciphersuite aes-256-cbc-sha Encryption type tls_rsa_with_aes_cbc_256_sha ciphersuite des-cbc-sha Encryption type tls_rsa_with_des_cbc_sha ciphersuite dhe-aes-128-cbc-sha Encryption type tls_dhe_rsa_with_aes_128_cbc_sha ciphersuite dhe-aes-256-cbc-sha Encryption type tls_dhe_rsa_with_aes_256_cbc_sha ciphersuite rc4-128-md5 Encryption type tls_rsa_with_rc4_128_md5 ciphersuite rc4-128-sha Encryption type tls_rsa_with_rc4_128_sha ciphersuite
Here you can make sure that no DES/RC4 and perhaps also no 3DES is included.
Hi, thanks for the post that command had really helped could not find what I was looking for command wise, when you it will fix the issues will this do this automatically to use TLS1.2 or is there further steps I need to take to enable TLS1.2? Never done this before, sorry.
I'm not yet aware of a way to force TLS1.2. Sadly, Cisco is/was quite slow in adapting TLS1.2.