Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Nexus 1000V - OpenSSH Version in 1.5?

Can you please confirm which version of OpenSSH is embedded in the 4.2(1)SV1(5.1) version?

We are currently running into a security vulnerability on 4.2(1)SV1(4) due to the old version of Openssh. (Older than OpenSSH 4.7).

Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Nexus 1000V - OpenSSH Version in 1.5?

It is 4.5.. Here is a verbose ssh to a N1000v running 4.2(1)SV1(5.1)

Macintosh:~ prkrishn$ ssh 172.18.121.5 -v

OpenSSH_5.6p1, OpenSSL 0.9.8r 8 Feb 2011

debug1: Reading configuration data /etc/ssh_config

debug1: Applying options for *

debug1: Connecting to 172.18.121.5 [172.18.121.5] port 22.

debug1: Connection established.

debug1: identity file /Users/prkrishn/.ssh/id_rsa type 1

debug1: identity file /Users/prkrishn/.ssh/id_rsa-cert type -1

debug1: identity file /Users/prkrishn/.ssh/id_dsa type 2

debug1: identity file /Users/prkrishn/.ssh/id_dsa-cert type -1

debug1: Remote protocol version 2.0, remote software version OpenSSH_4.5 <<<-----

debug1: match: OpenSSH_4.5 pat OpenSSH_4*

debug1: Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_5.6

debug1: SSH2_MSG_KEXINIT sent

debug1: SSH2_MSG_KEXINIT received

debug1: kex: server->client aes128-ctr hmac-md5 none

debug1: kex: client->server aes128-ctr hmac-md5 none

debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent

debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP

debug1: SSH2_MSG_KEX_DH_GEX_INIT sent

debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY

debug1: Host '172.18.121.5' is known and matches the RSA host key.

debug1: Found key in /Users/prkrishn/.ssh/known_hosts:20

debug1: ssh_rsa_verify: signature correct

debug1: SSH2_MSG_NEWKEYS sent

debug1: expecting SSH2_MSG_NEWKEYS

debug1: SSH2_MSG_NEWKEYS received

debug1: Roaming not allowed by server

debug1: SSH2_MSG_SERVICE_REQUEST sent

debug1: SSH2_MSG_SERVICE_ACCEPT received

User Access Verification

debug1: Authentications that can continue: publickey,password,keyboard-interactive

debug1: Next authentication method: publickey

debug1: Offering RSA public key: /Users/prkrishn/.ssh/id_rsa

debug1: Authentications that can continue: publickey,password,keyboard-interactive

debug1: Offering DSA public key: /Users/prkrishn/.ssh/id_dsa

debug1: Authentications that can continue: publickey,password,keyboard-interactive

debug1: Next authentication method: keyboard-interactive

Password:

debug1: Authentication succeeded (keyboard-interactive).

Authenticated to 172.18.121.5 ([172.18.121.5]:22).

debug1: channel 0: new [client-session]

debug1: Entering interactive session.

debug1: Sending environment.

debug1: Sending env LANG = en_US.UTF-8

Bad terminal type: "xterm-256color". Will assume vt100.

Cisco Nexus Operating System (NX-OS) Software

TAC support: http://www.cisco.com/tac

Copyright (c) 2002-2012, Cisco Systems, Inc. All rights reserved.

The copyrights to certain works contained in this software are

owned by other third parties and used and distributed under

license. Certain components of this software are licensed under

the GNU General Public License (GPL) version 2.0 or the GNU

Lesser General Public License (LGPL) Version 2.1. A copy of each

such license is available at

http://www.opensource.org/licenses/gpl-2.0.php and

http://www.opensource.org/licenses/lgpl-2.1.php

Nexus1000v# sh ver | inc image

  kickstart image file is: bootflash:/nexus-1000v-kickstart-mz.4.2.1.SV1.5.1.bin

  system image file is:    bootflash:/nexus-1000v-mz.4.2.1.SV1.5.1.bin

Nexus1000v#

Nexus1000v#

7 REPLIES
Cisco Employee

Nexus 1000V - OpenSSH Version in 1.5?

It is 4.5.. Here is a verbose ssh to a N1000v running 4.2(1)SV1(5.1)

Macintosh:~ prkrishn$ ssh 172.18.121.5 -v

OpenSSH_5.6p1, OpenSSL 0.9.8r 8 Feb 2011

debug1: Reading configuration data /etc/ssh_config

debug1: Applying options for *

debug1: Connecting to 172.18.121.5 [172.18.121.5] port 22.

debug1: Connection established.

debug1: identity file /Users/prkrishn/.ssh/id_rsa type 1

debug1: identity file /Users/prkrishn/.ssh/id_rsa-cert type -1

debug1: identity file /Users/prkrishn/.ssh/id_dsa type 2

debug1: identity file /Users/prkrishn/.ssh/id_dsa-cert type -1

debug1: Remote protocol version 2.0, remote software version OpenSSH_4.5 <<<-----

debug1: match: OpenSSH_4.5 pat OpenSSH_4*

debug1: Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_5.6

debug1: SSH2_MSG_KEXINIT sent

debug1: SSH2_MSG_KEXINIT received

debug1: kex: server->client aes128-ctr hmac-md5 none

debug1: kex: client->server aes128-ctr hmac-md5 none

debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent

debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP

debug1: SSH2_MSG_KEX_DH_GEX_INIT sent

debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY

debug1: Host '172.18.121.5' is known and matches the RSA host key.

debug1: Found key in /Users/prkrishn/.ssh/known_hosts:20

debug1: ssh_rsa_verify: signature correct

debug1: SSH2_MSG_NEWKEYS sent

debug1: expecting SSH2_MSG_NEWKEYS

debug1: SSH2_MSG_NEWKEYS received

debug1: Roaming not allowed by server

debug1: SSH2_MSG_SERVICE_REQUEST sent

debug1: SSH2_MSG_SERVICE_ACCEPT received

User Access Verification

debug1: Authentications that can continue: publickey,password,keyboard-interactive

debug1: Next authentication method: publickey

debug1: Offering RSA public key: /Users/prkrishn/.ssh/id_rsa

debug1: Authentications that can continue: publickey,password,keyboard-interactive

debug1: Offering DSA public key: /Users/prkrishn/.ssh/id_dsa

debug1: Authentications that can continue: publickey,password,keyboard-interactive

debug1: Next authentication method: keyboard-interactive

Password:

debug1: Authentication succeeded (keyboard-interactive).

Authenticated to 172.18.121.5 ([172.18.121.5]:22).

debug1: channel 0: new [client-session]

debug1: Entering interactive session.

debug1: Sending environment.

debug1: Sending env LANG = en_US.UTF-8

Bad terminal type: "xterm-256color". Will assume vt100.

Cisco Nexus Operating System (NX-OS) Software

TAC support: http://www.cisco.com/tac

Copyright (c) 2002-2012, Cisco Systems, Inc. All rights reserved.

The copyrights to certain works contained in this software are

owned by other third parties and used and distributed under

license. Certain components of this software are licensed under

the GNU General Public License (GPL) version 2.0 or the GNU

Lesser General Public License (LGPL) Version 2.1. A copy of each

such license is available at

http://www.opensource.org/licenses/gpl-2.0.php and

http://www.opensource.org/licenses/lgpl-2.1.php

Nexus1000v# sh ver | inc image

  kickstart image file is: bootflash:/nexus-1000v-kickstart-mz.4.2.1.SV1.5.1.bin

  system image file is:    bootflash:/nexus-1000v-mz.4.2.1.SV1.5.1.bin

Nexus1000v#

Nexus1000v#

New Member

Nexus 1000V - OpenSSH Version in 1.5?

Thanks.  Exactly what I was looking for. Any idea which N1KV version will have a newer OpenSSH version?

Cisco Employee

Nexus 1000V - OpenSSH Version in 1.5?

What newer version of SSH are you interested in seeing and what is the security vulnerability id?

Thanks,

Matthew

New Member

Nexus 1000V - OpenSSH Version in 1.5?

Here is the info from Nessus that our security folks use to scan for vulnerabilities (see below).

Nessus recognizes anything lower than 4.7 as vulnerable.  I am guessing that the N1KV isn't vulnerable to this specific attack since it is a X session vulnerability and the N1KV shouldn't be forwarding X sessions.

I think the biggest issue is not knowing what 3rd party software is inside a specific release prior to loading it and testing it.  We had the same issue with the UCS and couldn't figure out which version of Apache was being used......

https://supportforums.cisco.com/message/3302544#3302544

In addition to the informaiton from Nessus below, here is the link for the list of Security Vulnerabilities from OpenSSH

http://www.openssh.com/security.html

Security Hole   22/tcp   Nessus ID: 44078

--------------------------------------------------------------------------------

Synopsis :

Remote attackers may be able to bypass authentication.

Description :

According to the banner, OpenSSH earlier than 4.7 is running on the remote host. Such versions contain an authentication bypass vulnerability. In the event that OpenSSH cannot create an untrusted cookie for X, for example due to the temporary partition being full, it will use a trusted cookie instead. This allows attackers to violate intended policy and gain privileges by causing their X client to be treated as trusted.

See also :

http://www.openssh.com/txt/release-4.7

Solution :

Upgrade to OpenSSH 4.7 or later.

Risk factor :

High / CVSS Base Score : 7.5

(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVSS Temporal Score : 6.2

(CVSS2#E:F/RL:OF/RC:C)

Public Exploit Available : true

Plugin output :

Version source   : SSH-2.0-OpenSSH_4.5

Installed version : 4.5

Fixed version     : 4.7

CVE : CVE-2007-4752, CVE-2007-2243

BID : 25628

Other references : OSVDB:34600, OSVDB:43371, CWE:20

Cisco Employee

Nexus 1000V - OpenSSH Version in 1.5?

We will update the OpenSSH version via CSCty80419.

Thanks,

Matthew

New Member

Nexus 1000V - OpenSSH Version in 1.5?

I can't pull that up via the bug tracker.  It must be Cisco only.  Is it possible to get the details of that bug including when it is targeted to be fixed (which release)?

Cisco Employee

Nexus 1000V - OpenSSH Version in 1.5?

Hello Kris,

It will take at least 24 hours before the ddts is visible on cisco.com.  We do not yet have a targeted fix date or release.

Matthew

2575
Views
0
Helpful
7
Replies
CreatePlease login to create content