03-09-2012 10:05 AM
Can you please confirm which version of OpenSSH is embedded in the 4.2(1)SV1(5.1) version?
We are currently running into a security vulnerability on 4.2(1)SV1(4) due to the old version of Openssh. (Older than OpenSSH 4.7).
Solved! Go to Solution.
03-18-2012 02:39 AM
It is 4.5.. Here is a verbose ssh to a N1000v running 4.2(1)SV1(5.1)
Macintosh:~ prkrishn$ ssh 172.18.121.5 -v
OpenSSH_5.6p1, OpenSSL 0.9.8r 8 Feb 2011
debug1: Reading configuration data /etc/ssh_config
debug1: Applying options for *
debug1: Connecting to 172.18.121.5 [172.18.121.5] port 22.
debug1: Connection established.
debug1: identity file /Users/prkrishn/.ssh/id_rsa type 1
debug1: identity file /Users/prkrishn/.ssh/id_rsa-cert type -1
debug1: identity file /Users/prkrishn/.ssh/id_dsa type 2
debug1: identity file /Users/prkrishn/.ssh/id_dsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.5 <<<-----
debug1: match: OpenSSH_4.5 pat OpenSSH_4*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.6
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host '172.18.121.5' is known and matches the RSA host key.
debug1: Found key in /Users/prkrishn/.ssh/known_hosts:20
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
User Access Verification
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /Users/prkrishn/.ssh/id_rsa
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Offering DSA public key: /Users/prkrishn/.ssh/id_dsa
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: keyboard-interactive
Password:
debug1: Authentication succeeded (keyboard-interactive).
Authenticated to 172.18.121.5 ([172.18.121.5]:22).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
Bad terminal type: "xterm-256color". Will assume vt100.
Cisco Nexus Operating System (NX-OS) Software
TAC support: http://www.cisco.com/tac
Copyright (c) 2002-2012, Cisco Systems, Inc. All rights reserved.
The copyrights to certain works contained in this software are
owned by other third parties and used and distributed under
license. Certain components of this software are licensed under
the GNU General Public License (GPL) version 2.0 or the GNU
Lesser General Public License (LGPL) Version 2.1. A copy of each
such license is available at
http://www.opensource.org/licenses/gpl-2.0.php and
http://www.opensource.org/licenses/lgpl-2.1.php
Nexus1000v# sh ver | inc image
kickstart image file is: bootflash:/nexus-1000v-kickstart-mz.4.2.1.SV1.5.1.bin
system image file is: bootflash:/nexus-1000v-mz.4.2.1.SV1.5.1.bin
Nexus1000v#
Nexus1000v#
03-18-2012 02:39 AM
It is 4.5.. Here is a verbose ssh to a N1000v running 4.2(1)SV1(5.1)
Macintosh:~ prkrishn$ ssh 172.18.121.5 -v
OpenSSH_5.6p1, OpenSSL 0.9.8r 8 Feb 2011
debug1: Reading configuration data /etc/ssh_config
debug1: Applying options for *
debug1: Connecting to 172.18.121.5 [172.18.121.5] port 22.
debug1: Connection established.
debug1: identity file /Users/prkrishn/.ssh/id_rsa type 1
debug1: identity file /Users/prkrishn/.ssh/id_rsa-cert type -1
debug1: identity file /Users/prkrishn/.ssh/id_dsa type 2
debug1: identity file /Users/prkrishn/.ssh/id_dsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.5 <<<-----
debug1: match: OpenSSH_4.5 pat OpenSSH_4*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.6
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host '172.18.121.5' is known and matches the RSA host key.
debug1: Found key in /Users/prkrishn/.ssh/known_hosts:20
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
User Access Verification
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /Users/prkrishn/.ssh/id_rsa
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Offering DSA public key: /Users/prkrishn/.ssh/id_dsa
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: keyboard-interactive
Password:
debug1: Authentication succeeded (keyboard-interactive).
Authenticated to 172.18.121.5 ([172.18.121.5]:22).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
Bad terminal type: "xterm-256color". Will assume vt100.
Cisco Nexus Operating System (NX-OS) Software
TAC support: http://www.cisco.com/tac
Copyright (c) 2002-2012, Cisco Systems, Inc. All rights reserved.
The copyrights to certain works contained in this software are
owned by other third parties and used and distributed under
license. Certain components of this software are licensed under
the GNU General Public License (GPL) version 2.0 or the GNU
Lesser General Public License (LGPL) Version 2.1. A copy of each
such license is available at
http://www.opensource.org/licenses/gpl-2.0.php and
http://www.opensource.org/licenses/lgpl-2.1.php
Nexus1000v# sh ver | inc image
kickstart image file is: bootflash:/nexus-1000v-kickstart-mz.4.2.1.SV1.5.1.bin
system image file is: bootflash:/nexus-1000v-mz.4.2.1.SV1.5.1.bin
Nexus1000v#
Nexus1000v#
03-19-2012 08:14 AM
Thanks. Exactly what I was looking for. Any idea which N1KV version will have a newer OpenSSH version?
03-19-2012 09:42 AM
What newer version of SSH are you interested in seeing and what is the security vulnerability id?
Thanks,
Matthew
03-20-2012 11:10 AM
Here is the info from Nessus that our security folks use to scan for vulnerabilities (see below).
Nessus recognizes anything lower than 4.7 as vulnerable. I am guessing that the N1KV isn't vulnerable to this specific attack since it is a X session vulnerability and the N1KV shouldn't be forwarding X sessions.
I think the biggest issue is not knowing what 3rd party software is inside a specific release prior to loading it and testing it. We had the same issue with the UCS and couldn't figure out which version of Apache was being used......
https://supportforums.cisco.com/message/3302544#3302544
In addition to the informaiton from Nessus below, here is the link for the list of Security Vulnerabilities from OpenSSH
http://www.openssh.com/security.html
Security Hole 22/tcp Nessus ID: 44078
--------------------------------------------------------------------------------
Synopsis :
Remote attackers may be able to bypass authentication.
Description :
According to the banner, OpenSSH earlier than 4.7 is running on the remote host. Such versions contain an authentication bypass vulnerability. In the event that OpenSSH cannot create an untrusted cookie for X, for example due to the temporary partition being full, it will use a trusted cookie instead. This allows attackers to violate intended policy and gain privileges by causing their X client to be treated as trusted.
See also :
http://www.openssh.com/txt/release-4.7
Solution :
Upgrade to OpenSSH 4.7 or later.
Risk factor :
High / CVSS Base Score : 7.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Temporal Score : 6.2
(CVSS2#E:F/RL:OF/RC:C)
Public Exploit Available : true
Plugin output :
Version source : SSH-2.0-OpenSSH_4.5
Installed version : 4.5
Fixed version : 4.7
CVE : CVE-2007-4752, CVE-2007-2243
BID : 25628
Other references : OSVDB:34600, OSVDB:43371, CWE:20
03-21-2012 08:07 AM
We will update the OpenSSH version via CSCty80419.
Thanks,
Matthew
03-21-2012 08:28 AM
I can't pull that up via the bug tracker. It must be Cisco only. Is it possible to get the details of that bug including when it is targeted to be fixed (which release)?
03-21-2012 05:39 PM
Hello Kris,
It will take at least 24 hours before the ddts is visible on cisco.com. We do not yet have a targeted fix date or release.
Matthew
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide