SSL Medium Strength Cipher Suites Supported vulnerability

Unanswered Question
Feb 19th, 2010
User Badges:

Kind of an odd thing.  We just had a vulnerability scan and a 2960 got pinged for supporting medium strength SSL cipher suites.  I say strange cause I have 3 others that have the same IOS image and they didn't get pinged.  Swap out the management IP address and they are all the same.  They are all running 12.2(52)SE C2960-LANBASEK9-M, with a 768 bit keys.  Here is the text of the vulnerability :


Synopsis : The remote service supports the use of medium strength SSL ciphers. Description : The remote host supports the use of SSL ciphers that offer medium strength encryption, which we currently regard as those with key lengths at least 56 bits and less than 112 bits.


Reconfigure the affected application if possible to avoid use of medium strength ciphers. / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) Plugin output : Here are the medium strength SSL ciphers supported by the remote server : Medium Strength Ciphers (>= 56-bit and < 112-bit key) SSLv3 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES(56) Mac=SHA1 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1 TLSv1 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES(56) Mac=SHA1 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1 The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag}



Can someone point me in the right direction on how to re-configure the switch to pass this test?


Thanks

Poirot

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Panos Kampanakis Mon, 02/22/2010 - 11:40
User Badges:
  • Cisco Employee,

I believe the alert there is because you are using a 768 key which was broken recently (Jan 2010 a paper was published on it with results from efforts that took 4 years to break 768 keys). 768bit RSA keys is not considered secure enough any more.


I would suggest you to configure keys of 1024 on these switches and try again.


I hope it helps.


PK

poirot1967 Mon, 02/22/2010 - 12:07
User Badges:

Thanks for the reply.  I zeroed the key of one of switches and started a scan on it.  I will let you know if that fixes it.


Poirot

poirot1967 Tue, 02/23/2010 - 08:22
User Badges:

I zeroed the RSA key and generated a 1024 bit replacement.  Saved it, restarted the secure http server, and ran the Gideon scan against it.  I am still getting the same vulnerability.  Is there a way to turn off an individual cypher suite running in IOS?


Poirot

Panos Kampanakis Tue, 02/23/2010 - 13:45
User Badges:
  • Cisco Employee,

You cannot disable ciphersuites.

Try if "ip ssh version 2" helps.


Also check the difference in ssh and crypto key between the routers that don't see the vulnerability reports.


PK

poirot1967 Wed, 03/24/2010 - 06:30
User Badges:

Yeah.  I told our ISSO that it was something that it would have to be deemed an acceptable risk as there was not a 'fix' for it.


Poirot

Actions

This Discussion

Related Content