Disable SSH CBC mode cipher encryption and disable MD5 and 96-bit MAC algorithms in SSH on Cisco ASA

balamuruganmanavalan · ‎08-12-2015

Hi all,

Want to disable CBC mode cipher encryption, and enable CTR or GCM cipher mode encryption and disable MD5 and 96-bit MAC algorithms

ASA version : 9.1.5(21)

Any idea.

Regards,

Bala

Karsten Iwen · ‎08-12-2015

You can't, the options are quite limited. But you can configure your SSH-clients not to negotiate weak ciphers.

balamuruganmanavalan · ‎08-12-2015

Is any doc or cisco release notes stating that it is not possible?

Options are quite limited means?

James Leinweber · ‎08-13-2015

If you want to use TLSv2 ciphersuites you are going to have to upgrade to 9.3 or higher; they aren't supported on earlier versions.

-- Jim Leinweber, WI State Lab of Hygiene

balamuruganmanavalan · ‎08-13-2015

Is TLSv2 applicable for SSH also? confirm.

Karsten Iwen · ‎08-14-2015

No, TLS 1.2 in ASA versions 9.3 and higher can be used with the actual AnyConnect client. But it's unrelated to SSH.

balamuruganmanavalan · ‎08-14-2015

Correct.

Is there any cisco doc or release note showing that no workaround in Cisco ASA for SSH vulnerability.

If limited possibilities are documented, at least share that link.

Karsten Iwen · ‎08-14-2015

All what you can do is documented in the config-guide.

balamuruganmanavalan · ‎08-14-2015

you are referring which config-guide. can you share the link?

Karsten Iwen · ‎08-14-2015

http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/general/asa_91_general_config/admin_management.html

http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/S/cmdref3/s16.html

balamuruganmanavalan · ‎08-14-2015

If we enable SSH authentication, can we mitigate that vulnerability?

Karsten Iwen · ‎08-14-2015

SSH always works with authentication. That's not related to the used ciphers.

Karsten Iwen · ‎08-14-2015

To my knowledge it's not documented that it's not possible ... Only the limited possibilities are documented, and that's mainly that you can restrict SSH to version 2 and configure the DH to group14.