How To
Summary
The following relates to CVE-2023-48795 / CSCwi60493,
but the procedure is the same to disable any older/weak ciphers.
Objective
Disable vulnerable or weak SSH ciphers
Environment
The NX-OS Software uses CiscoSSH which is derived from OpenSSH and could be vulnerable to CVE-2023-48795 but the Security Impact Rating (SIR) is Low because the security impact of this attack very limited as it only allows deletion of consecutive messages, and deleting most messages at this stage of the protocol prevents user authentication from proceeding. In addition:
The attacker needs to be on a privileged position and be able to intercept and modify the SSH initial session setup packet exchange, and the SSH server must either (only one is enough)
*Offer the chacha20-poly1305@openssh.com as an encryption algorithm or
*Using an encryption algorithm in CBC mode *and* an -etm@openssh.com hashing algorithm
The attacker needs to be on a privileged position and be able to intercept and modify the SSH initial session setup packet exchange, and the SSH server must either (only one is enough)
*Offer the chacha20-poly1305@openssh.com as an encryption algorithm or
*Using an encryption algorithm in CBC mode *and* an -etm@openssh.com hashing algorithm
Conditions:
Device with default configuration.
Device with default configuration.
The NX-OS Software does not run AsyncSSH and are not vulnerable to either:
* CVE-2023-46445 (Rogue Extension Negotiation)
* CVE-2023-46446 (Rogue Session Attack)
* CVE-2023-46445 (Rogue Extension Negotiation)
* CVE-2023-46446 (Rogue Session Attack)
CSCwi60493 : Confirm if CVE-2023-48795 impacts Nexus 9000
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwi60493
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwi60493
CVE-2023-48795
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-48795
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-48795
Steps
Here you will find the affecting conditions and the solution for Nexus devices.
According to the document, customer should check if N9K device has by default the Ciphers mentioned,
i.e. chacha20-poly1305 or any encryption algorithm suffixed -cbc in combination with any MAC algorithm suffixed -etm.
You can check if there is any chacha20-poly1305 or any encryption algorithm suffixed -cbc in combination with any MAC algorithm suffixed -etm:
(config)# feature bash-shell
(config)# run bash sudo su
bash-4.3# ssh -V <--- or ssh -v
bash-4.3# cat /isan/etc/dcos_sshd_config
(config)# run bash sudo su
bash-4.3# ssh -V <--- or ssh -v
bash-4.3# cat /isan/etc/dcos_sshd_config
If you have for example “chacha20-poly1305”, you can remove the SSH cipher
chacha20-poly1305@openssh.com<mailto:chacha20-poly1305@openssh.com>
manually by editing the sshd config file entering the Linux kernel bash of the Nexus.
chacha20-poly1305@openssh.com<mailto:chacha20-poly1305@openssh.com>
manually by editing the sshd config file entering the Linux kernel bash of the Nexus.
To enter the bash of the Nexus and do the procedure to manually delete the Ciphers,
here I give you the detailed steps:
here I give you the detailed steps:
First, it is necessary to save a backup of the current Ciphers configuration by looking
at the dcos_sshd_config file in Nexus and sending a copy to Bootflash.
at the dcos_sshd_config file in Nexus and sending a copy to Bootflash.
1.Enable the bash-shell feature and get into bash mode:
switch(config)# feature bash-shell
switch(config)# run bash
bash-4.3$
2.Send a copy of the dcos_sshd_config file to bootflash:
bash-4.3$ cd /isan/etc/
bash-4.3$ copy dcos_sshd_config /bootflash/dcos_sshd_config
bash-4.3$ exit
3.Confirm the copy is on bootflash:
switch(config)# dir bootflash: | i ssh
7372 Mar 24 02:24:13 2023 dcos_sshd_config
4.Export to a server:
switch# copy bootflash: ftp:
Enter source filename: dcos_sshd_config
Enter vrf (If no input, current vrf 'default' is considered): management
Enter hostname for the ftp server: 10.207.204.10
Enter username: <username>
Password:
***** Transfer of file Completed Successfully *****
Copy complete, now saving to disk (please wait)...
Copy complete.
switch# copy bootflash: ftp:
Enter source filename: dcos_sshd_config
Enter vrf (If no input, current vrf 'default' is considered): management
Enter hostname for the ftp server: 10.207.204.10
Enter username: <username>
Password:
***** Transfer of file Completed Successfully *****
Copy complete, now saving to disk (please wait)...
Copy complete.
It is necessary to delete the Ciphers chacha20-poly1305 and or any encryption algorithm suffixed
-cbc in combination with any MAC algorithm suffixed -etm@openssh.com<mailto:-etm@openssh.com>
and then upload the file again to the bootflash, it is better to do it from a TXT file,
here is how to upload it again:
-cbc in combination with any MAC algorithm suffixed -etm@openssh.com<mailto:-etm@openssh.com>
and then upload the file again to the bootflash, it is better to do it from a TXT file,
here is how to upload it again:
Upload a modified ssh config file to bootflash
switch# dir bootflash: | i ssh
7372 Mar 24 02:24:13 2023 dcos_sshd_config_modified
7372 Mar 24 02:24:13 2023 dcos_sshd_config_modified
While in bash or Linux(debug)# mode, overwrite the existing dcos_sshd_config file with the one in bootflash:
bash-4.3$ copy /bootflash/dcos_sshd_config_modified /isan/etc/dcos_sshd_config
1.Confirm the changes were successful:
bash-4.3$ cat /isan/etc/dcos_sshd_config
Terminate bash session
bash-4.3$ exit
2.Restart SSH:
switch(config)# no sshserver feature
switch(config)# sshserver feature
switch(config)# no sshserver feature
switch(config)# sshserver feature
Upon restarting SSH, you can run the command
"run bash sudo grep -i cipher /isan/etc/dcos_sshd_config"
to confirm that the file was edited.
"run bash sudo grep -i cipher /isan/etc/dcos_sshd_config"
to confirm that the file was edited.
Additional Information
Note: It is recommended to do this procedure in a controlled maintenance window.
=================================================================
Please note that this change will no persist post reload.
=================================================================
Please note that this change will no persist post reload.
=================================================================
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB66","label":"Technology Lifecycle Services"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSWG8KZ","label":"MVS Network - CISCO"},"ARM Category":[{"code":"a8m3p000000GotUAAS","label":"MVS Network - CISCO-\u003ECisco Switches-\u003ENEXUS-\u003EN9000"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}]}]
Was this topic helpful?
Document Information
Modified date:
03 October 2024
UID
ibm17147935