Solved: Nexus 1000V - OpenSSH Version in 1.5?

KRIS PATE · ‎03-09-2012

Can you please confirm which version of OpenSSH is embedded in the 4.2(1)SV1(5.1) version?

We are currently running into a security vulnerability on 4.2(1)SV1(4) due to the old version of Openssh. (Older than OpenSSH 4.7).

Prashanth Krishnappa · ‎03-18-2012

It is 4.5.. Here is a verbose ssh to a N1000v running 4.2(1)SV1(5.1)

Macintosh:~ prkrishn$ ssh 172.18.121.5 -v

OpenSSH_5.6p1, OpenSSL 0.9.8r 8 Feb 2011

debug1: Reading configuration data /etc/ssh_config

debug1: Applying options for *

debug1: Connecting to 172.18.121.5 [172.18.121.5] port 22.

debug1: Connection established.

debug1: identity file /Users/prkrishn/.ssh/id_rsa type 1

debug1: identity file /Users/prkrishn/.ssh/id_rsa-cert type -1

debug1: identity file /Users/prkrishn/.ssh/id_dsa type 2

debug1: identity file /Users/prkrishn/.ssh/id_dsa-cert type -1

debug1: Remote protocol version 2.0, remote software version OpenSSH_4.5 <<<-----

debug1: match: OpenSSH_4.5 pat OpenSSH_4*

debug1: Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_5.6

debug1: SSH2_MSG_KEXINIT sent

debug1: SSH2_MSG_KEXINIT received

debug1: kex: server->client aes128-ctr hmac-md5 none

debug1: kex: client->server aes128-ctr hmac-md5 none

debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent

debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP

debug1: SSH2_MSG_KEX_DH_GEX_INIT sent

debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY

debug1: Host '172.18.121.5' is known and matches the RSA host key.

debug1: Found key in /Users/prkrishn/.ssh/known_hosts:20

debug1: ssh_rsa_verify: signature correct

debug1: SSH2_MSG_NEWKEYS sent

debug1: expecting SSH2_MSG_NEWKEYS

debug1: SSH2_MSG_NEWKEYS received

debug1: Roaming not allowed by server

debug1: SSH2_MSG_SERVICE_REQUEST sent

debug1: SSH2_MSG_SERVICE_ACCEPT received

User Access Verification

debug1: Authentications that can continue: publickey,password,keyboard-interactive

debug1: Next authentication method: publickey

debug1: Offering RSA public key: /Users/prkrishn/.ssh/id_rsa

debug1: Authentications that can continue: publickey,password,keyboard-interactive

debug1: Offering DSA public key: /Users/prkrishn/.ssh/id_dsa

debug1: Authentications that can continue: publickey,password,keyboard-interactive

debug1: Next authentication method: keyboard-interactive

Password:

debug1: Authentication succeeded (keyboard-interactive).

Authenticated to 172.18.121.5 ([172.18.121.5]:22).

debug1: channel 0: new [client-session]

debug1: Entering interactive session.

debug1: Sending environment.

debug1: Sending env LANG = en_US.UTF-8

Bad terminal type: "xterm-256color". Will assume vt100.

Cisco Nexus Operating System (NX-OS) Software

TAC support: http://www.cisco.com/tac

The copyrights to certain works contained in this software are

owned by other third parties and used and distributed under

license. Certain components of this software are licensed under

the GNU General Public License (GPL) version 2.0 or the GNU

Lesser General Public License (LGPL) Version 2.1. A copy of each

such license is available at

http://www.opensource.org/licenses/gpl-2.0.php and

http://www.opensource.org/licenses/lgpl-2.1.php

Nexus1000v# sh ver | inc image

kickstart image file is: bootflash:/nexus-1000v-kickstart-mz.4.2.1.SV1.5.1.bin

system image file is: bootflash:/nexus-1000v-mz.4.2.1.SV1.5.1.bin

Nexus1000v#

View solution in original post

Prashanth Krishnappa · ‎03-18-2012

It is 4.5.. Here is a verbose ssh to a N1000v running 4.2(1)SV1(5.1)

Macintosh:~ prkrishn$ ssh 172.18.121.5 -v

OpenSSH_5.6p1, OpenSSL 0.9.8r 8 Feb 2011

debug1: Reading configuration data /etc/ssh_config

debug1: Applying options for *

debug1: Connecting to 172.18.121.5 [172.18.121.5] port 22.

debug1: Connection established.

debug1: identity file /Users/prkrishn/.ssh/id_rsa type 1

debug1: identity file /Users/prkrishn/.ssh/id_rsa-cert type -1

debug1: identity file /Users/prkrishn/.ssh/id_dsa type 2

debug1: identity file /Users/prkrishn/.ssh/id_dsa-cert type -1

debug1: Remote protocol version 2.0, remote software version OpenSSH_4.5 <<<-----

debug1: match: OpenSSH_4.5 pat OpenSSH_4*

debug1: Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_5.6

debug1: SSH2_MSG_KEXINIT sent

debug1: SSH2_MSG_KEXINIT received

debug1: kex: server->client aes128-ctr hmac-md5 none

debug1: kex: client->server aes128-ctr hmac-md5 none

debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent

debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP

debug1: SSH2_MSG_KEX_DH_GEX_INIT sent

debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY

debug1: Host '172.18.121.5' is known and matches the RSA host key.

debug1: Found key in /Users/prkrishn/.ssh/known_hosts:20

debug1: ssh_rsa_verify: signature correct

debug1: SSH2_MSG_NEWKEYS sent

debug1: expecting SSH2_MSG_NEWKEYS

debug1: SSH2_MSG_NEWKEYS received

debug1: Roaming not allowed by server

debug1: SSH2_MSG_SERVICE_REQUEST sent

debug1: SSH2_MSG_SERVICE_ACCEPT received

User Access Verification

debug1: Authentications that can continue: publickey,password,keyboard-interactive

debug1: Next authentication method: publickey

debug1: Offering RSA public key: /Users/prkrishn/.ssh/id_rsa

debug1: Authentications that can continue: publickey,password,keyboard-interactive

debug1: Offering DSA public key: /Users/prkrishn/.ssh/id_dsa

debug1: Authentications that can continue: publickey,password,keyboard-interactive

debug1: Next authentication method: keyboard-interactive

Password:

debug1: Authentication succeeded (keyboard-interactive).

Authenticated to 172.18.121.5 ([172.18.121.5]:22).

debug1: channel 0: new [client-session]

debug1: Entering interactive session.

debug1: Sending environment.

debug1: Sending env LANG = en_US.UTF-8

Bad terminal type: "xterm-256color". Will assume vt100.

Cisco Nexus Operating System (NX-OS) Software

TAC support: http://www.cisco.com/tac

The copyrights to certain works contained in this software are

owned by other third parties and used and distributed under

license. Certain components of this software are licensed under

the GNU General Public License (GPL) version 2.0 or the GNU

Lesser General Public License (LGPL) Version 2.1. A copy of each

such license is available at

http://www.opensource.org/licenses/gpl-2.0.php and

http://www.opensource.org/licenses/lgpl-2.1.php

Nexus1000v# sh ver | inc image

kickstart image file is: bootflash:/nexus-1000v-kickstart-mz.4.2.1.SV1.5.1.bin

system image file is: bootflash:/nexus-1000v-mz.4.2.1.SV1.5.1.bin

Nexus1000v#

KRIS PATE · ‎03-19-2012

Thanks. Exactly what I was looking for. Any idea which N1KV version will have a newer OpenSSH version?

mwronkow · ‎03-19-2012

What newer version of SSH are you interested in seeing and what is the security vulnerability id?

Thanks,

Matthew

KRIS PATE · ‎03-20-2012

Here is the info from Nessus that our security folks use to scan for vulnerabilities (see below).

Nessus recognizes anything lower than 4.7 as vulnerable. I am guessing that the N1KV isn't vulnerable to this specific attack since it is a X session vulnerability and the N1KV shouldn't be forwarding X sessions.

I think the biggest issue is not knowing what 3rd party software is inside a specific release prior to loading it and testing it. We had the same issue with the UCS and couldn't figure out which version of Apache was being used......

https://supportforums.cisco.com/message/3302544#3302544

In addition to the informaiton from Nessus below, here is the link for the list of Security Vulnerabilities from OpenSSH

http://www.openssh.com/security.html

Security Hole 22/tcp Nessus ID: 44078

--------------------------------------------------------------------------------

Synopsis :

Remote attackers may be able to bypass authentication.

Description :

According to the banner, OpenSSH earlier than 4.7 is running on the remote host. Such versions contain an authentication bypass vulnerability. In the event that OpenSSH cannot create an untrusted cookie for X, for example due to the temporary partition being full, it will use a trusted cookie instead. This allows attackers to violate intended policy and gain privileges by causing their X client to be treated as trusted.