patricktam
asked on
Cisco Switch 2960x Security Audit Exercise: The remote SSH server is configured to allow MD5 and 96-bit MAC algorithms.
We have installed Cisco 2960x Stack able switches in our organization. The internal Audit department has scanned the switches for security assessment and found the vulnerability The remote SSH server is configured to allow MD5 and 96-bit MAC algorithms.
Cisco IOS version running on the switches are 15.2(2)E4 which is the Cisco suggested latest IOS version for Cisco 2960x - 24-TL ...
We have found the Cisco community link
https://supportforums.cisco.com/document/12338141/guide-better-ssh-security and
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_ssh/configuration/15-s/sec-usr-ssh-15-s-book/sec-secure-shell-algorithm-ccc.html
that we could "Disable Unwanted MAC algorithms" by running a command "no ip ssh server algorithm mac hmac-shal-96" to disable the algorithm
However, it seems that only 15.5(2) can use this command to disable the weak 96-bit MAC algorithm.
Question1 : Is that any solution to disable the weak MAC algorithm on the Cisco Switches server running 15.2(2)E4 ?
Question2 : Not sure if there is any Official Cisco Web Link to describe and provide solution/remediation steps for this vulnerability ?
Question3: If there is indeed no solution. Is there any Official Cisco Web Link to describe the fact that fix/patch is no available ?
Thank you so much for your help.
Regards
Patrick
Cisco IOS version running on the switches are 15.2(2)E4 which is the Cisco suggested latest IOS version for Cisco 2960x - 24-TL ...
We have found the Cisco community link
https://supportforums.cisco.com/document/12338141/guide-better-ssh-security and
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_ssh/configuration/15-s/sec-usr-ssh-15-s-book/sec-secure-shell-algorithm-ccc.html
that we could "Disable Unwanted MAC algorithms" by running a command "no ip ssh server algorithm mac hmac-shal-96" to disable the algorithm
However, it seems that only 15.5(2) can use this command to disable the weak 96-bit MAC algorithm.
Question1 : Is that any solution to disable the weak MAC algorithm on the Cisco Switches server running 15.2(2)E4 ?
Question2 : Not sure if there is any Official Cisco Web Link to describe and provide solution/remediation steps for this vulnerability ?
Question3: If there is indeed no solution. Is there any Official Cisco Web Link to describe the fact that fix/patch is no available ?
Thank you so much for your help.
Regards
Patrick
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.