Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

acs 1113 appliance version 4.2 ssh version 1

McAffee scan of acs 1113 appliance running the 4.2 build 124 patch 12 version reports that a medium vulnerability exists because the system has SSH version 1. Any way to specify only version 2 or turn off SSH

9 REPLIES

Re: acs 1113 appliance version 4.2 ssh version 1

The ACS is a closed system and SSH does not allow access to the Operating System; its only use is for RDBMS synchronization.

We cannot manage the ACS via SSH like console. This port has been opened only to support "Programmatic interface for RDBMSync".

Any SSH client can communicate appliance with administrator credentials and

execute only below commands.

Command Description

----------------------------------------------------

? List commands

exit Log off

help List commands

csdbsync -syncnow RDBMS synchronization

It is not possible to take control of the appliance by exploiting SSH vulnerability.

Regards,

~JG

Do rate helpful posts

New Member

Re: acs 1113 appliance version 4.2 ssh version 1

Thanks for the reply.

Assuming we do not want to do RDBMS synchronization, can the ssh be disable or can the version be changed to version 2?

Regards,

VC

Re: acs 1113 appliance version 4.2 ssh version 1

HI VC,

Currently there is no way we can change ver to 2 and to disable SSH on the appliance.

Regards,

~JG

Do rate helpful posts

New Member

Re: acs 1113 appliance version 4.2 ssh version 1

JG,

If this ssh version 1 vulnerability was exploited and an unauthorized user gained access to the ssh interface, could they do harm by loading a bogus configuration into the ACS server and/or export the existing configuration which would leave the network infrastructure extremely vulnerable at that point?

Re: acs 1113 appliance version 4.2 ssh version 1

Hi,

No, it is not possible to change config using ssh vulnerability.

With SSH you will get ONLY following options,

Command Description

----------------------------------------------------

? List commands

exit Log off

help List commands

csdbsync -syncnow RDBMS synchronization

So there is no way to make any config change or gain access to config using SSH. I would suggest you to ssh to appliance and explore these options.

Regards,

~JG

Do rate helpful posts

Re: acs 1113 appliance version 4.2 ssh version 1

As explained, this doesnt really concerns the ACS as there is nothing you can do over SSH besides RDBMS config anyways.

If you need CLI, you need a console on the ACS, as simple as that.

New Member

Re: acs 1113 appliance version 4.2 ssh version 1

Ok. Thanks for he responses.

New Member

Re: acs 1113 appliance version 4.2 ssh version 1

One of our audits lists this(ssh) as a vulnerability. I wanted to either either force SSH v2 or turn it off al together like my friend above. Your explanation on the controls or lack of controls in SSH is very helpful.

Silver

Re: acs 1113 appliance version 4.2 ssh version 1

Hello Zac,

CSCsk44379    ACS to Support OpenSSH 4.7 for Remote invocation of CSdbSync

Unfortunately the bug has been Closed and no further investigation/development will be enforced in order to address the ACS SSHv1 issue. The explanation is as follows:

"The main reason for asking for upgrade of ssh library is "X11 session hijacking" attack that was identified in OpenSSH4.6.

ACS SE is Not vulnerable to this attack because ACS SE is closed box and invoking x-windows from it is not possible."

There is no way to disable SSH on the ACS SE at the moment.

If this was helpful please rate.

Regards.

1991
Views
8
Helpful
9
Replies