cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1137
Views
0
Helpful
4
Replies

Vulnerability issue in 3750v2 switch

Tarun Vyas
Beginner
Beginner

In audit observation find Vulnerability issue and need to resolve this.

Switch Model : WS-C3750V2-24TS

Switch Version : c3750-ipservicesk9-mz.150-2.SE11.bin

Vulnerability : Nessus Plugin ID:71049   (Disable MD5 and 96-bit MAC algorithms)

https://www.tenable.com/plugins/nessus/71049

Vulnerability : Nessus Plugin ID:70658   (Enable CTR or GCM cipher mode)

https://www.tenable.com/plugins/nessus/70658

Can you give me proper command to resolve the issue. please provide the command support 3750V2 switch.

 

HOST_NAME# show ssh
*Mar 1 05:35:37 IST: %SYS-5-CONFIG_I: Configured from console by xyz_usrnm on console
Connection Version   Mode       Encryption        Hmac                 State                   Username
      0             2.0         IN         aes256-cbc    hmac-sha1     Session started         xyz_usrnm
      0             2.0        OUT      aes256-cbc    hmac-sha1     Session started         xyz_usrnm
%No SSHv1 server connections running.

4 Replies 4

Seb Rupik
VIP Advisor VIP Advisor
VIP Advisor

Hi there,

Try explicitly setting the SSH ciphers (in config mode):

ip ssh server algorithm encryption mac hmac-sha1
ip ssh server algorithm encryption aes-265-ctr

cheers,

Seb.

Given command already I have tried it earlier but it is not taking.

 

HOST-NAME(config)#ip ssh ?
authentication-retries      Specify number of authentication retries
break-string                    break-string
dh                                  Diffie-Hellman
dscp                              IP DSCP value for SSH traffic
logging                          Configure logging for SSH
maxstartups                   Maximum concurrent sessions allowed
port                               Starting (or only) Port number to listen on
precedence                   IP Precedence value for SSH traffic
pubkey-chain                pubkey-chain
rekey                            Configure rekey values
rsa                                Configure RSA keypair name for SSH
source-interface           Specify interface for source address in SSH
                                   connections
stricthostkeycheck        Enable SSH Server Authentication
time-out                       Specify SSH time-out interval
version                         Specify protocol version to be supported

Hi,

 

You won't get the option to disable those ciphers on that switch. You can either upgrade to a newer switch or configure access lists to restrict management access to trusted hosts. The 3750 is end of life and i don't think there will be any more software fix for the switch.

 

Thanks

John

**Please rate posts you find helpful**

Yes, This is the most latest version. I have upgraded with. Is there any way to conform so can show to customer about this switch is not supported with ctr.....

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers