Guest

Preview Tool

Cisco Bug: CSCvv70862 - SMA version 13.6.2-023 cannot limit ciphers negotiated on sshconfig sshd

Last Modified

Sep 15, 2020

Products (1)

  • Cisco Content Security Management Appliance

Known Affected Releases

13.6.2-023

Description (partial)

Symptom:
While trying to remove some ciphers from being offered on SMA version 13.6.2-023 the changes are not effective.
You can issue the command from cli:
ironport.local> sshconfig


Choose the operation you want to perform:
- SSHD - Edit SSH server settings.
- USERKEY - Edit SSH User Key settings
[]>SSHD
ssh server config settings:
Incomplete SSH session timeout (in secs):
        60
Minimum Server Key Size:
        1024
Public Key Authentication Algorithms:
        rsa1
        ssh-rsa
KEX Algorithms:
        diffie-hellman-group-exchange-sha256
        diffie-hellman-group-exchange-sha1
        diffie-hellman-group14-sha1
        diffie-hellman-group1-sha1
        ecdh-sha2-nistp256
        ecdh-sha2-nistp384
        ecdh-sha2-nistp521
Cipher Algorithms:
        aes128-ctr
        aes192-ctr
        aes256-ctr
Unsuccessful SSH login attempts allowed:
        3
MAC Methods:
        hmac-sha1
        umac-64@openssh.com
        hmac-ripemd160
        hmac-ripemd160@openssh.com

Choose the operation you want to perform:
- SETUP - Setup SSH server configuration settings
[]>


Choose the operation you want to perform:
- SSHD - Edit SSH server settings.
- USERKEY - Edit SSH User Key settings
[]>

Even do only ctr ciphers are present you can still connect to the appliance using a cbc cipher:

86Q:~$ ssh -c aes256-cbc admin@10.48.78.46
Password:
AsyncOS 13.6 for Cisco M100V build 023

Welcome to the Cisco M100V Content Security Virtual Management Appliance

Conditions:
Install an SMA  version 13.6.2-023.
Limit the ciphers offered under sshconfig>sshd using the cli to only ctr or only cbc.
Try to connect to the appliance using a cipher that should not be offered or use nmpa to scan.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.