Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1534
Views
0
Helpful
2
Replies

OpenSSH vulnerabilities in CSS

Go to solution
d-fillmore
Level 2
Level 2

‎06-09-2010 08:48 AM

Hi, My customer has had a penetration test done and they have found that the version of OpenSSH that is used on the CSS is quite out of date and there are multiple vulnerabilities in it


Here's one such report - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-4654


I know the CSS is soon to be discontinued.


Does anyone know if Cisco are planning on pacthing this or do they recognise it as a vulnerability?


I don't know the best way to find this info, I shouldn't really use TAC, as it's not troubleshooting. Might try our account manager if no-one on here knows anything about it.


Many Thanks in advance


Cheers, Dom

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Sean Merrow
Level 4
Level 4

‎06-09-2010 09:54 AM

Hi Dom,

While the CSS's successor, the ACE 4700 Series, has been out for a while, there are still no announcements about the CSS's End-of-Life.

Regarding the OpenSSH vulnerability you referred to:  CVE-2007-4654,  it was investigated through two bugs.  The first is CSCsq48452 which is now in the Closed state as it was discovered through testing that it was working as designed and the connections would clear after some time.  The second is  CSCsv69257 which was also closed out as working as designed.  Cisco's PSIRT team also investigated this vulnerability as well with developement.  It should also be noted that SSH can be restricted on the CSS with the restrict ssh command.

Not sure if this is the answer you were looking for, but I hope it helps clear up where things stand.  Also, if you have a contract that allows you to open a service request with Cisco TAC, then you should know that this type of query is certainly something that TAC can help with, in addition to your account team and the Cisco Support Community.

Best regards,

Sean

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Sean Merrow
Level 4
Level 4

‎06-09-2010 09:54 AM

Hi Dom,

While the CSS's successor, the ACE 4700 Series, has been out for a while, there are still no announcements about the CSS's End-of-Life.

Regarding the OpenSSH vulnerability you referred to:  CVE-2007-4654,  it was investigated through two bugs.  The first is CSCsq48452 which is now in the Closed state as it was discovered through testing that it was working as designed and the connections would clear after some time.  The second is  CSCsv69257 which was also closed out as working as designed.  Cisco's PSIRT team also investigated this vulnerability as well with developement.  It should also be noted that SSH can be restricted on the CSS with the restrict ssh command.

Not sure if this is the answer you were looking for, but I hope it helps clear up where things stand.  Also, if you have a contract that allows you to open a service request with Cisco TAC, then you should know that this type of query is certainly something that TAC can help with, in addition to your account team and the Cisco Support Community.

Best regards,

Sean

0 Helpful

Go to solution
d-fillmore
Level 2
Level 2
In response to Sean Merrow

‎06-10-2010 12:34 AM

Hi Sean - Many Thanks for your reply

Yes, Sorry I'm wrong about the CSS - It's the CSM that has started it's end of life phase recently.

I'll go back to my customer with this info

Thanks again

Dom

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents