Showing results for 
Search instead for 
Did you mean: 

Vulnerability issue in 3750v2 switch

Tarun Vyas

In audit observation find Vulnerability issue and need to resolve this.

Switch Model : WS-C3750V2-24TS

Switch Version : c3750-ipservicesk9-mz.150-2.SE11.bin

Vulnerability : Nessus Plugin ID:71049   (Disable MD5 and 96-bit MAC algorithms)

Vulnerability : Nessus Plugin ID:70658   (Enable CTR or GCM cipher mode)

Can you give me proper command to resolve the issue. please provide the command support 3750V2 switch.


HOST_NAME# show ssh
*Mar 1 05:35:37 IST: %SYS-5-CONFIG_I: Configured from console by xyz_usrnm on console
Connection Version   Mode       Encryption        Hmac                 State                   Username
      0             2.0         IN         aes256-cbc    hmac-sha1     Session started         xyz_usrnm
      0             2.0        OUT      aes256-cbc    hmac-sha1     Session started         xyz_usrnm
%No SSHv1 server connections running.

4 Replies 4

Seb Rupik
VIP Advisor VIP Advisor
VIP Advisor

Hi there,

Try explicitly setting the SSH ciphers (in config mode):

ip ssh server algorithm encryption mac hmac-sha1
ip ssh server algorithm encryption aes-265-ctr



Given command already I have tried it earlier but it is not taking.


HOST-NAME(config)#ip ssh ?
authentication-retries      Specify number of authentication retries
break-string                    break-string
dh                                  Diffie-Hellman
dscp                              IP DSCP value for SSH traffic
logging                          Configure logging for SSH
maxstartups                   Maximum concurrent sessions allowed
port                               Starting (or only) Port number to listen on
precedence                   IP Precedence value for SSH traffic
pubkey-chain                pubkey-chain
rekey                            Configure rekey values
rsa                                Configure RSA keypair name for SSH
source-interface           Specify interface for source address in SSH
stricthostkeycheck        Enable SSH Server Authentication
time-out                       Specify SSH time-out interval
version                         Specify protocol version to be supported



You won't get the option to disable those ciphers on that switch. You can either upgrade to a newer switch or configure access lists to restrict management access to trusted hosts. The 3750 is end of life and i don't think there will be any more software fix for the switch.




**Please rate posts you find helpful**

Yes, This is the most latest version. I have upgraded with. Is there any way to conform so can show to customer about this switch is not supported with ctr.....

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers