I got this vulnerability alert from Kenna security tool. Does anyone know how to reinstall certificate on a 3850 switch or 5508 WLC? CVE-2004-2761 The MD5 Message-Digest Algorithm is not collision resistant, which makes it easier for context-dependent attackers to conduct spoofing attacks, as demonstrated by attacks on the use of MD5 in the signature algorithm of an X.509 certificate. Due per Kenna: 5/20/2019 Devices: 10.205.x.x 10.254.x.x 172.25.x.x 10.254.x.x Diagnosis: The remote service uses an SSL certificate chain that has been signed using a cryptographically weak hashing algorithm (e.g. MD2, MD4, MD5, or SHA1). These signature algorithms are known to be vulnerable to collision attacks. An attacker can exploit this to generate another certificate with the same digital signature, allowing an attacker to masquerade as the affected service. Note that this plugin reports all SSL certificate chains signed with SHA-1 that expire after January 1, 2017 as vulnerable. This is in accordance with Google's gradual sunsetting of the SHA-1 cryptographic hash algorithm. See Also: https://tools.ietf.org/html/rfc3279 http://www.nessus.org/u?e120eea1 http://technet.microsoft.com/en-us/security/advisory/961509 Related CVE IDs: CVE-2004-2761 Related BugTraq IDs: 11849 33065 Other Security Standard Reference IDs: OSVDB:45127 OSVDB:45108 OSVDB:45106 CWE:310 CERT:836068 Solution per Kenna: Contact the Certificate Authority to have the certificate reissued.
... View more
I'm trying to manually add SNMP config to a WAP. cisco tac recommended debug capwap console cli then conf t and adding the SNMP config but I can't get that far. where do I go from here? WAP#debug capwap console cli ^ % Invalid input detected at '^' marker. WAP#debug capwap client CAPWAP Client debugs WAP#debug capwap client avc CAPWAP client AVC detail CAPWAP detail efficient-upgrade Smart image download debugging error CAPWAP error events CAPWAP events flexconnect CAPWAP flexconnect mode event info CAPWAP info keepalive CAPWAP keepalive payload CAPWAP payload pmtu CAPWAP Path MTU debugging qos CAPWAP qos reassembly CAPWAP reassembly security CAPWAP security WAP#debug capwap client WAP#show version Restricted Rights Legend Use, duplication, or disclosure by the Government is subject to restrictions as set forth in subparagraph (c) of the Commercial Computer Software - Restricted Rights clause at FAR sec. 52.227-19 and subparagraph (c) (1) (ii) of the Rights in Technical Data and Computer Software clause at DFARS sec. 252.227-7013. Cisco Systems, Inc. 170 West Tasman Drive San Jose, California 95134-1706 This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption. Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return this product immediately. A summary of U.S. laws governing Cisco cryptographic products may be found at: http://www.cisco.com/wwl/export/crypto/tool/stqrg.html If you require further assistance please contact us by sending email to email@example.com. This product contains some software licensed under the "GNU General Public License, version 2" provided with ABSOLUTELY NO WARRANTY under the terms of "GNU General Public License, version 2", available here: http://www.gnu.org/licenses/old-licenses/gpl-2.0.html This product contains some software licensed under the "GNU Library General Public License, version 2" provided with ABSOLUTELY NO WARRANTY under the terms of "GNU Library General Public License, version 2", available here: http://www.gnu.org/licenses/old-licenses/lgpl-2.0.html This product contains some software licensed under the "GNU Lesser General Public License, version 2.1" provided with ABSOLUTELY NO WARRANTY under the terms of "GNU Lesser General Public License, version 2.1", available here: http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html Cisco AP Software, (ap3g3), [wnbu-bld-lnx8:/san/BUILD/workspace/83MR4_Repost_Cheetah_CCO/label/barbados] Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2015 by Cisco Systems, Inc. Compiled Mon Jun 4 23:25:52 PDT 2018 ROM: Bootstrap program is U-Boot boot loader BOOTLDR: U-Boot boot loader Version 2013.01-gad8bd06 (Sep 28 2017 - 17:03:04) ALDLEG-6-WAP07-6302-D552 uptime is 0 days, 6 hours, 45 minutes Last reload time : Thu Apr 4 21:09:33 UTC 2019 Last reload reason : unknown cisco AIR-AP3802I-B-K9 ARMv7 Processor rev 1 (v7l) with 1030640/710480K bytes of memory. Processor board ID FCW2243NFQP AP Running Image : 22.214.171.124 Primary Boot Image : 126.96.36.199 Backup Boot Image : 188.8.131.52 1 Multigigabit Ethernet interfaces 1 Gigabit Ethernet interfaces 2 802.11 Radios Radio Driver version : 184.108.40.206-W8964 Radio FW version : 220.127.116.11 NSS FW version : Base ethernet MAC Address : F4:DB:E6:9D:D5:52 Part Number : 73-018550-02 PCA Assembly Number : 000-00000-00 PCA Revision Number : PCB Serial Number : FOC22415XWY Top Assembly Part Number : 068-100730-02 Top Assembly Serial Number : FCW2243NFQP Top Revision Number : E0 Product/Model Number : AIR-AP3802I-B-K9
... View more
interface GigabitEthernetX/X description xxxx switchport switchport access vlan 22 switchport mode access switchport voice vlan 26 authentication event server dead action authorize vlan 22 authentication event server dead action authorize voice authentication event no-response action authorize vlan 27 authentication host-mode multi-domain authentication port-control auto authentication violation replace mls qos trust dscp dot1x pae authenticator no cdp enable
can someone please tell me the meaning of the bold commands? I need to understand the policy implications.
... View more