Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1813
Views
0
Helpful
6
Replies

Cisco 5508 Controllers vulnerabilities

Amr_Elsherif
Level 1
Level 1

‎05-18-2019 08:35 AM - edited ‎07-05-2021 10:25 AM

wlc 5508 running version  8.2.170.0 shows the below vulnerabilities, how can these be mitigated? 

 

SSL Certificate Signed Using Weak Hashing Algorithm
SSH Weak Algorithms Supported
SSH Server CBC Mode Ciphers Enabled
SSH Weak MAC Algorithms Enabled
SSL Certificate Chain Contains RSA Keys Less Than 2048 bits

Labels:
0 Helpful
6 Replies 6

Haydn Andrews
VIP Alumni
VIP Alumni

‎05-18-2019 09:26 AM

How to mitigate them would be an upgrade.

The version to upgrade to would have been advised in the security advisory notice that the vulnerability was announced in or the release notes for the version you are upgrading to.

 

As most of these are SSL and SSH vulnerabilities also recommend ACL/ FW rules to only allow these protocols from known sources.

 

When considering an upgrade here are two good links to review:

https://www.cisco.com/c/en/us/td/docs/wireless/compatibility/matrix/compatibility-matrix.html

https://www.cisco.com/c/en/us/support/docs/wireless/wireless-lan-controller-software/200046-tac-recommended-aireos.html

*****Help out other by using the rating system and marking answered questions as "Answered"*****
*** Please rate helpful posts ***
0 Helpful

Amr_Elsherif
Level 1
Level 1
In response to Haydn Andrews

‎05-19-2019 07:29 AM

 are there any extra commands needed to be done after the upgrade ?

 

Thanks for your concern Haydn 

0 Helpful

Amr_Elsherif
Level 1
Level 1
In response to Haydn Andrews

‎05-19-2019 07:29 AM

 are there any extra commands needed to be done after the upgrade ?

 

Thanks for your concern Haydn 

0 Helpful

Jurgens L
Level 3
Level 3
In response to Amr_Elsherif

‎05-19-2019 05:41 PM

You can run one of the following commands should you want to verify security strength after the upgrade:

 

(Cisco Controller) >show certificate?

all Display all installed certificate details
compatibility Enable compatibility mode for inter-switch ipsec
eap Display EAP cert. details
ipsec Display IPSec cert. details
lsc Display Locally Significant Certificate (LSC)
ssc Display Self Signed Device Certificate (SSC)
summary Display SSL certificates
webadmin Display Web Administration cert. details
webauth Display Web Authentication cert. details

 

 

<<< Please help the community by marking useful posts helpful, or accept as a solution if it resolved your issue >>>

0 Helpful

patoberli
VIP Alumni
VIP Alumni

‎05-20-2019 01:42 AM

The option you want is named "Cipher-Option High", which would mitigate most of those points. Not sure which software release has added it though.
For compatibility reasons some old variants will also stay enabled! So not all points will disappear in a scan.
0 Helpful

Leo Laohoo
Hall of Fame
Hall of Fame

‎05-20-2019 02:21 PM

Upgrade the firmware of the controller.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card