Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

SSL Medium Strength Cipher Suites Supported vulnerability

Kind of an odd thing.  We just had a vulnerability scan and a 2960 got pinged for supporting medium strength SSL cipher suites.  I say strange cause I have 3 others that have the same IOS image and they didn't get pinged.  Swap out the management IP address and they are all the same.  They are all running 12.2(52)SE C2960-LANBASEK9-M, with a 768 bit keys.  Here is the text of the vulnerability :

Synopsis : The remote service supports the use of medium strength SSL ciphers. Description : The remote host supports the use of SSL ciphers that offer medium strength encryption, which we currently regard as those with key lengths at least 56 bits and less than 112 bits.

Reconfigure the affected application if possible to avoid use of medium strength ciphers. / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) Plugin output : Here are the medium strength SSL ciphers supported by the remote server : Medium Strength Ciphers (>= 56-bit and < 112-bit key) SSLv3 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES(56) Mac=SHA1 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1 TLSv1 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES(56) Mac=SHA1 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1 The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag}

Can someone point me in the right direction on how to re-configure the switch to pass this test?

Thanks

Poirot

Everyone's tags (3)
6 REPLIES
Cisco Employee

Re: SSL Medium Strength Cipher Suites Supported vulnerability

I believe the alert there is because you are using a 768 key which was broken recently (Jan 2010 a paper was published on it with results from efforts that took 4 years to break 768 keys). 768bit RSA keys is not considered secure enough any more.

I would suggest you to configure keys of 1024 on these switches and try again.

I hope it helps.

PK

New Member

Re: SSL Medium Strength Cipher Suites Supported vulnerability

Thanks for the reply.  I zeroed the key of one of switches and started a scan on it.  I will let you know if that fixes it.

Poirot

New Member

Re: SSL Medium Strength Cipher Suites Supported vulnerability

I zeroed the RSA key and generated a 1024 bit replacement.  Saved it, restarted the secure http server, and ran the Gideon scan against it.  I am still getting the same vulnerability.  Is there a way to turn off an individual cypher suite running in IOS?

Poirot

Cisco Employee

Re: SSL Medium Strength Cipher Suites Supported vulnerability

You cannot disable ciphersuites.

Try if "ip ssh version 2" helps.

Also check the difference in ssh and crypto key between the routers that don't see the vulnerability reports.

PK

New Member

Re: SSL Medium Strength Cipher Suites Supported vulnerability

Have the exact same issue.

I have 1024 crypto keys and ip ssh version 2 in the config.

Still shows up a vulnerability after re-scanning (using Tenable Nessus).

This happens on 2960, 3550, & 3750's.

New Member

Re: SSL Medium Strength Cipher Suites Supported vulnerability

Yeah.  I told our ISSO that it was something that it would have to be deemed an acceptable risk as there was not a 'fix' for it.

Poirot

10204
Views
0
Helpful
6
Replies
CreatePlease to create content