Link to home
Start Free TrialLog in
Avatar of patricktam
patricktam

asked on

Cisco Switch 2960x Security Audit Exercise: The remote SSH server is configured to allow MD5 and 96-bit MAC algorithms.

We have installed Cisco 2960x Stack able switches in our organization. The internal Audit department has scanned the switches for security assessment and found the vulnerability The remote SSH server is configured to allow MD5 and 96-bit MAC algorithms.

Cisco IOS version running on the switches are 15.2(2)E4 which is the Cisco suggested latest IOS version for Cisco 2960x - 24-TL ...

We have found the Cisco community link
https://supportforums.cisco.com/document/12338141/guide-better-ssh-security  and
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_ssh/configuration/15-s/sec-usr-ssh-15-s-book/sec-secure-shell-algorithm-ccc.html 

that  we could "Disable Unwanted MAC algorithms" by running a command "no ip ssh server algorithm mac hmac-shal-96" to disable the algorithm

However, it seems that only 15.5(2) can use this command to disable the weak 96-bit MAC algorithm.

Question1 : Is that any solution to disable the weak MAC algorithm on the Cisco Switches server running 15.2(2)E4 ?

Question2 : Not sure if there is any Official Cisco Web Link to describe and provide solution/remediation steps for this vulnerability ?

Question3: If there is indeed no solution. Is there any Official Cisco Web Link to describe the fact that fix/patch is no available ?

Thank you so much for your help.

Regards
Patrick
ASKER CERTIFIED SOLUTION
Avatar of btan
btan

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial