Buy or Renew
Buy or Renew
COMING SOON: Umbrella and Secure Access release notes are coming to Cisco Community. The community will be in read-only August 16 – 19. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
549
Views
1
Helpful
2
Replies

Weak SSL/TLS Key Exchange Vulnerability

Go to solution
mohammedalrawiib
Level 1
Level 1

‎04-29-2024 08:07 AM

hello

everybody i hope your doing well

i have asked this question many time i need your help in our network infrastructure we have cisco catalyst switch 9200 version 17.6

we have Qualys scan for vulnerability there is a certain vulnerability that wouldn't go away we have tried some of the solutions that the community suggested but with no avail we have tried the commands to disable or limit but nothing changed , after a while we noticed that only this switch have this problem we noticed the path is different so we took an image from the other c9200 that doesn't show the vulnerability in the scan took the image and installed after we scanned the same vulnerability remained anybody that have faced this issue ?

please don't suggest rebooting as we have tried also we used commands to disable that and we tried limiting it

the vulnerability 

Weak SSL/TLS Key Exchange Vulnerability

IMPACT:
An attacker with access to sufficient computational power might be able to recover the session key and decrypt session content.
SOLUTION:
Change the SSL/TLS server configuration to only allow strong key exchanges. Key exchanges used on the server should provide at least 112 bits of
security, so the minimum key size to not flag this QID should be:
2048 bit key size for Diffie Hellman (DH) or RSA key exchanges
224 bit key
size for Elliptic Curve Diffie Hellman (EDCH) key exchanges.

we have tried all suggested solutions 

appericate your support

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
mohammedalrawiib
Level 1
Level 1

‎05-28-2024 05:54 AM

Dears 

after a while we changed the ssh port number (default is 22) to another port also we blocked 22 port then the vulnerability was removed this is the solution that we found if you have any other solution please let us know.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
marce1000
VIP
VIP

‎04-29-2024 08:42 AM

 

           -  (Of course upgrading requires a reboot too, but is usually the best path to take and then compare with Qualsys again(e.g)))

Ref : https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9200/software/release/17-11/release_notes/ol-17-11-9200/whats_new_in_cisco_ios_dublin_1711x.html#topic-rn-sw-features-17111.xml
    >...

Deprecation of Weak Ciphers

The minimum RSA key pair size must be 2048 bits. The compliance shield on the device must be disabled using the crypto engine compliance shield disable command to use the weak RSA key.


-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Go to solution
mohammedalrawiib
Level 1
Level 1

‎05-28-2024 05:54 AM

Dears 

after a while we changed the ssh port number (default is 22) to another port also we blocked 22 port then the vulnerability was removed this is the solution that we found if you have any other solution please let us know.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card