OpenSSH vulnerabilities in CSS

Answered Question
Jun 9th, 2010

Hi, My customer has had a penetration test done and they have found that the version of OpenSSH that is used on the CSS is quite out of date and there are multiple vulnerabilities in it



Here's one such report - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-4654



I know the CSS is soon to be discontinued.



Does anyone know if Cisco are planning on pacthing this or do they recognise it as a vulnerability?



I don't know the best way to find this info, I shouldn't really use TAC, as it's not troubleshooting. Might try our account manager if no-one on here knows anything about it.



Many Thanks in advance



Cheers, Dom

Correct Answer by Sean Merrow about 6 years 8 months ago

Hi Dom,


While the CSS's successor, the ACE 4700 Series, has been out for a while, there are still no announcements about the CSS's End-of-Life.


Regarding the OpenSSH vulnerability you referred to:  CVE-2007-4654,  it was investigated through two bugs.  The first is CSCsq48452 which is now in the Closed state as it was discovered through testing that it was working as designed and the connections would clear after some time.  The second is  CSCsv69257 which was also closed out as working as designed.  Cisco's PSIRT team also investigated this vulnerability as well with developement.  It should also be noted that SSH can be restricted on the CSS with the restrict ssh command.


Not sure if this is the answer you were looking for, but I hope it helps clear up where things stand.  Also, if you have a contract that allows you to open a service request with Cisco TAC, then you should know that this type of query is certainly something that TAC can help with, in addition to your account team and the Cisco Support Community.


Best regards,

Sean

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Sean Merrow Wed, 06/09/2010 - 09:54

Hi Dom,


While the CSS's successor, the ACE 4700 Series, has been out for a while, there are still no announcements about the CSS's End-of-Life.


Regarding the OpenSSH vulnerability you referred to:  CVE-2007-4654,  it was investigated through two bugs.  The first is CSCsq48452 which is now in the Closed state as it was discovered through testing that it was working as designed and the connections would clear after some time.  The second is  CSCsv69257 which was also closed out as working as designed.  Cisco's PSIRT team also investigated this vulnerability as well with developement.  It should also be noted that SSH can be restricted on the CSS with the restrict ssh command.


Not sure if this is the answer you were looking for, but I hope it helps clear up where things stand.  Also, if you have a contract that allows you to open a service request with Cisco TAC, then you should know that this type of query is certainly something that TAC can help with, in addition to your account team and the Cisco Support Community.


Best regards,

Sean

d-fillmore Thu, 06/10/2010 - 00:34

Hi Sean - Many Thanks for your reply

Yes, Sorry I'm wrong about the CSS - It's the CSM that has started it's end of life phase recently.


I'll go back to my customer with this info


Thanks again

Dom

Actions

This Discussion

Related Content