Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2126
Views
0
Helpful
1
Replies

SSH Server CBC Mode Ciphers & SSH Weak MAC Vulnerabilities | Supported IOS version

marv.mingi
Level 1
Level 1

‎09-13-2016 07:08 PM - edited ‎03-10-2019 12:43 AM

Hi All,

We have WS-C3560X-24T-L with IOS version 15.2(1)E1. This device was subjected to vulnerability assessment.

Findings:

1.) SSH Server CBC Mode Ciphers & SSH Weak MAC Algorithms Enabled

Recommendations:

1.1.) Disable CBC mode cipher encryption, and enable CTR or GCM cipher mode encryption

1.2.)Disable MD5 and 96-bit MAC algorithms.

I looked into some documentations/forums and found the commands for the recommendations

1.1) ip ssh server algorithm encryption aes256-ctr

1.2.)ip ssh server algorithm mac hmac-sha1

The problem is the commands are  not supported on the IOS version (15.2(1)E1) of the 3560X.

Can you help me out if this 15.2.4E2 version can fix the issue. We are going to upgrade the FW of the box but just to be sure (because the box is in production) we want to it test on the lab environment, unfortunately we don't have a spare 3560X to be used.

1 person had this problem
Labels:
0 Helpful
1 Reply 1

marv.mingi
Level 1
Level 1

‎09-18-2016 06:30 PM

Hi all,

I confirmed that the commands are supported on the latest version 15.2.4E2

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents