07-12-2019 12:55 PM
In audit observation find Vulnerability issue and need to resolve this.
Switch Model : WS-C3750V2-24TS
Switch Version : c3750-ipservicesk9-mz.150-2.SE11.bin
Vulnerability : Nessus Plugin ID:71049 (Disable MD5 and 96-bit MAC algorithms)
https://www.tenable.com/plugins/nessus/71049
Vulnerability : Nessus Plugin ID:70658 (Enable CTR or GCM cipher mode)
https://www.tenable.com/plugins/nessus/70658
Can you give me proper command to resolve the issue. please provide the command support 3750V2 switch.
HOST_NAME# show ssh
*Mar 1 05:35:37 IST: %SYS-5-CONFIG_I: Configured from console by xyz_usrnm on console
Connection Version Mode Encryption Hmac State Username
0 2.0 IN aes256-cbc hmac-sha1 Session started xyz_usrnm
0 2.0 OUT aes256-cbc hmac-sha1 Session started xyz_usrnm
%No SSHv1 server connections running.
07-12-2019 02:09 PM
Hi there,
Try explicitly setting the SSH ciphers (in config mode):
ip ssh server algorithm encryption mac hmac-sha1
ip ssh server algorithm encryption aes-265-ctr
cheers,
Seb.
07-12-2019 09:41 PM
Given command already I have tried it earlier but it is not taking.
HOST-NAME(config)#ip ssh ?
authentication-retries Specify number of authentication retries
break-string break-string
dh Diffie-Hellman
dscp IP DSCP value for SSH traffic
logging Configure logging for SSH
maxstartups Maximum concurrent sessions allowed
port Starting (or only) Port number to listen on
precedence IP Precedence value for SSH traffic
pubkey-chain pubkey-chain
rekey Configure rekey values
rsa Configure RSA keypair name for SSH
source-interface Specify interface for source address in SSH
connections
stricthostkeycheck Enable SSH Server Authentication
time-out Specify SSH time-out interval
version Specify protocol version to be supported
07-14-2019 04:10 PM
Hi,
You won't get the option to disable those ciphers on that switch. You can either upgrade to a newer switch or configure access lists to restrict management access to trusted hosts. The 3750 is end of life and i don't think there will be any more software fix for the switch.
Thanks
John
07-14-2019 08:05 PM
Yes, This is the most latest version. I have upgraded with. Is there any way to conform so can show to customer about this switch is not supported with ctr.....
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide