BugZero | Cisco BugID CSCwi57761 - ISE | CVE-2023-48795 in OpenSSH

Cisco - Defect ID: CSCwi57761

ISE | CVE-2023-48795 in OpenSSH

Cisco - Defect ID: CSCwi57761

ISE | CVE-2023-48795 in OpenSSH

Last updated on 3/26/2025

Overall: 6.36.3

Severity: 6.46.4

Lifecycle: 9.19.1

Popularity: 6.96.9

What is the BugZero Risk Score?

Vendor details

No defect details.

Overall: 6.36.3

Severity: 6.46.4

Lifecycle: 9.19.1

Popularity: 6.96.9

What is the BugZero Risk Score?

Vendor details

No defect details.

Symptom

This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2023-48795 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-48795

Conditions

Workaround

workaround for ISE <=3.1 --------------------------------- for example below cipher is vulnerable cipher 1. chacha20-poly1305@openssh.com if we want to disable the cipher chacha20-poly1305@openssh.com follow the below. ise31/admin# configure terminal Enter configuration commands, one per line. End with CNTL/Z. ise31/admin(config)# no service sshd encryption-algorithm chacha20-poly1305@openssh.com ise31/admin# end ise31/admin# copy running-config startup-config workaround for ISE > 3.1 -------------------------------- for example below cipher is vulnerable cipher 1. chacha20-poly1305@openssh.com if we want to disable the cipher chacha20-poly1305-openssh.com follow the below. ise32/admin# configure terminal Enter configuration commands, one per line. End with CNTL/Z. ise32/admin(config)# no service sshd encryption-algorithm ise32/admin(config)# service sshd encryption-algorithm aes128-cbc aes128-ctr aes128-gcm-openssh.com aes256-cbc aes256-ctr aes256-gcm-openssh.com ise32/admin# end check for workaround all versions ----------------------------------------- check that the correct cipher is removed and the other ciphers remain, do the following: ise/admin# show running-config | include sshd If no encryption-algorithm options are configured, then all ciphers will be allowed and this workaround will not be valid. If chacha20-poly1305@openssh.com is still configured as one of the encryption-algorithm options, then this vulnerability will still be present.

Further Problem Description

Additional details about the vulnerabilities listed above can be found at https://www.cve.org/.

PSIRT Evaluation

The Cisco PSIRT has assigned this bug the following CVSS version 3.1 score. The Base CVSS score as of the time of evaluation is: 5.9 https://sec.cloudapps.cisco.com/security/center/cvssCalculator.x?version=3.1&vector=CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N CVE ID CVE-2023-48795 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html

Original Vendor Announcement

9.65Defect ID: CSCwd45843
Auth Step latency for policy evaluation due to Garbage Collection activity.
9.65Defect ID: CSCwa92734
CUBE DTMF interworking fails from rtp-nte to OOB SIP methods
9.65Defect ID: CSCwj45822
Cisco ASA and FTD Software Remote Access VPN Brute Force Denial of Service Vulnerability
9.65Defect ID: CSCvo03458
PKI "revocation check crl none" does not fallback if CRL not reachable
9.65Defect ID: CSCvq05584
Cisco IOS and IOS XE Software Tcl Arbitrary Code Execution Vulnerability

Ready to prevent the next vendor outage?

Get a demo

OPERATIONAL DEFECT DATABASE

Cisco - Defect ID: CSCwi57761

ISE | CVE-2023-48795 in OpenSSH

Cisco - Defect ID: CSCwi57761

ISE | CVE-2023-48795 in OpenSSH

Last updated on 3/26/2025

Vendor details

Vendor details

Description

Symptom

Conditions

Workaround

Further Problem Description

PSIRT Evaluation

Links

Top Cisco defects by risk score

Ready to prevent the next vendor outage?