cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1617
Views
0
Helpful
2
Replies

OpenSSH vulnerabilities in CSS

d-fillmore
Level 2
Level 2

Hi, My customer has had a penetration test done and they have found that the version of OpenSSH that is used on the CSS is quite out of date and there are multiple vulnerabilities in it


Here's one such report - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-4654


I know the CSS is soon to be discontinued.


Does anyone know if Cisco are planning on pacthing this or do they recognise it as a vulnerability?


I don't know the best way to find this info, I shouldn't really use TAC, as it's not troubleshooting. Might try our account manager if no-one on here knows anything about it.


Many Thanks in advance


Cheers, Dom

1 Accepted Solution

Accepted Solutions

Sean Merrow
Level 4
Level 4

Hi Dom,

While the CSS's successor, the ACE 4700 Series, has been out for a while, there are still no announcements about the CSS's End-of-Life.

Regarding the OpenSSH vulnerability you referred to:  CVE-2007-4654,  it was investigated through two bugs.  The first is CSCsq48452 which is now in the Closed state as it was discovered through testing that it was working as designed and the connections would clear after some time.  The second is  CSCsv69257 which was also closed out as working as designed.  Cisco's PSIRT team also investigated this vulnerability as well with developement.  It should also be noted that SSH can be restricted on the CSS with the restrict ssh command.

Not sure if this is the answer you were looking for, but I hope it helps clear up where things stand.  Also, if you have a contract that allows you to open a service request with Cisco TAC, then you should know that this type of query is certainly something that TAC can help with, in addition to your account team and the Cisco Support Community.

Best regards,

Sean

View solution in original post

2 Replies 2

Sean Merrow
Level 4
Level 4

Hi Dom,

While the CSS's successor, the ACE 4700 Series, has been out for a while, there are still no announcements about the CSS's End-of-Life.

Regarding the OpenSSH vulnerability you referred to:  CVE-2007-4654,  it was investigated through two bugs.  The first is CSCsq48452 which is now in the Closed state as it was discovered through testing that it was working as designed and the connections would clear after some time.  The second is  CSCsv69257 which was also closed out as working as designed.  Cisco's PSIRT team also investigated this vulnerability as well with developement.  It should also be noted that SSH can be restricted on the CSS with the restrict ssh command.

Not sure if this is the answer you were looking for, but I hope it helps clear up where things stand.  Also, if you have a contract that allows you to open a service request with Cisco TAC, then you should know that this type of query is certainly something that TAC can help with, in addition to your account team and the Cisco Support Community.

Best regards,

Sean

Hi Sean - Many Thanks for your reply

Yes, Sorry I'm wrong about the CSS - It's the CSM that has started it's end of life phase recently.

I'll go back to my customer with this info

Thanks again

Dom

Review Cisco Networking for a $25 gift card