troubleshooting Question

Cisco Switch 2960x Security Audit Exercise: The remote SSH server is configured to allow MD5 and 96-bit MAC algorithms.

Avatar of patricktam
patricktam asked on
CiscoSSH / Telnet SoftwareNetwork Security
1 Comment1 Solution1831 ViewsLast Modified:
We have installed Cisco 2960x Stack able switches in our organization. The internal Audit department has scanned the switches for security assessment and found the vulnerability The remote SSH server is configured to allow MD5 and 96-bit MAC algorithms.

Cisco IOS version running on the switches are 15.2(2)E4 which is the Cisco suggested latest IOS version for Cisco 2960x - 24-TL ...

We have found the Cisco community link
https://supportforums.cisco.com/document/12338141/guide-better-ssh-security  and
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_ssh/configuration/15-s/sec-usr-ssh-15-s-book/sec-secure-shell-algorithm-ccc.html 

that  we could "Disable Unwanted MAC algorithms" by running a command "no ip ssh server algorithm mac hmac-shal-96" to disable the algorithm

However, it seems that only 15.5(2) can use this command to disable the weak 96-bit MAC algorithm.

Question1 : Is that any solution to disable the weak MAC algorithm on the Cisco Switches server running 15.2(2)E4 ?

Question2 : Not sure if there is any Official Cisco Web Link to describe and provide solution/remediation steps for this vulnerability ?

Question3: If there is indeed no solution. Is there any Official Cisco Web Link to describe the fact that fix/patch is no available ?

Thank you so much for your help.

Regards
Patrick
ASKER CERTIFIED SOLUTION
btanExec Consultant
Join our community to see this answer!
Unlock 1 Answer and 1 Comment.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 1 Comment.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros