Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1462
Views
0
Helpful
4
Replies

Vulnerability issue in 3750v2 switch

Tarun Vyas
Level 1
Level 1

‎07-12-2019 12:55 PM

In audit observation find Vulnerability issue and need to resolve this.

Switch Model : WS-C3750V2-24TS

Switch Version : c3750-ipservicesk9-mz.150-2.SE11.bin

Vulnerability : Nessus Plugin ID:71049   (Disable MD5 and 96-bit MAC algorithms)

https://www.tenable.com/plugins/nessus/71049

Vulnerability : Nessus Plugin ID:70658   (Enable CTR or GCM cipher mode)

https://www.tenable.com/plugins/nessus/70658

Can you give me proper command to resolve the issue. please provide the command support 3750V2 switch.

 

HOST_NAME# show ssh
*Mar 1 05:35:37 IST: %SYS-5-CONFIG_I: Configured from console by xyz_usrnm on console
Connection Version   Mode       Encryption        Hmac                 State                   Username
      0             2.0         IN         aes256-cbc    hmac-sha1     Session started         xyz_usrnm
      0             2.0        OUT      aes256-cbc    hmac-sha1     Session started         xyz_usrnm
%No SSHv1 server connections running.

Labels:
0 Helpful
4 Replies 4

Seb Rupik
VIP Alumni
VIP Alumni

‎07-12-2019 02:09 PM

Hi there,

Try explicitly setting the SSH ciphers (in config mode):

ip ssh server algorithm encryption mac hmac-sha1
ip ssh server algorithm encryption aes-265-ctr

cheers,

Seb.

0 Helpful

Tarun Vyas
Level 1
Level 1
In response to Seb Rupik

‎07-12-2019 09:41 PM

Given command already I have tried it earlier but it is not taking.

 

HOST-NAME(config)#ip ssh ?
authentication-retries      Specify number of authentication retries
break-string                    break-string
dh                                  Diffie-Hellman
dscp                              IP DSCP value for SSH traffic
logging                          Configure logging for SSH
maxstartups                   Maximum concurrent sessions allowed
port                               Starting (or only) Port number to listen on
precedence                   IP Precedence value for SSH traffic
pubkey-chain                pubkey-chain
rekey                            Configure rekey values
rsa                                Configure RSA keypair name for SSH
source-interface           Specify interface for source address in SSH
                                   connections
stricthostkeycheck        Enable SSH Server Authentication
time-out                       Specify SSH time-out interval
version                         Specify protocol version to be supported

0 Helpful

johnd2310
Level 8
Level 8
In response to Tarun Vyas

‎07-14-2019 04:10 PM

Hi,

 

You won't get the option to disable those ciphers on that switch. You can either upgrade to a newer switch or configure access lists to restrict management access to trusted hosts. The 3750 is end of life and i don't think there will be any more software fix for the switch.

 

Thanks

John

**Please rate posts you find helpful**
0 Helpful

Tarun Vyas
Level 1
Level 1
In response to johnd2310

‎07-14-2019 08:05 PM

Yes, This is the most latest version. I have upgraded with. Is there any way to conform so can show to customer about this switch is not supported with ctr.....

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card