Solved: How to upgrade OpenSSL on Cisco 2960

JeffK63 · ‎01-13-2023

Hello everyone,

I recently had a vulnerability scan on my network and our old Cisco 2960 OpenSSL vulnerability. What are the commands I can run to upgrade or fix this issue. Here is the solution they gave me below and thank you in advance for you help.

Solution

This vulnerability is reported to affect versions of OpenSSL including: OpenSSL 1.0.1 through 1.0.1g OpenSSL 1.0.0 through 1.0.0l all versions before OpenSSL 0.9.8y Non-affected versions include: OpenSSL 1.0.1h OpenSSL 1.0.0m OpenSSL 0.9.8za OpenSSL has released updated versions of the library that address this vulnerability. Please upgrade to the latest version.

balaji.bandi · ‎01-15-2023

you can configure ip ssh version 2

and upgrade to latest 15.2.7E7

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-2_7_e/release_notes/rn-1527e-2960x-xr.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

Leo Laohoo · ‎01-13-2023

What is the exact model of the switch?

What is the current IOS version?

balaji.bandi · ‎01-13-2023

post-show version to the full device model.

or upgrade to 15.X IOS

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

JeffK63 · ‎01-15-2023

Sorry to get back to you late. Not the strongest with Cisco equipment but here is the information I got from running sh version.

Model revision number : A0
Motherboard revision number : A0
Model number : WS-C2960XR-24TS-I
Daughterboard assembly number : 73-14200-03
Top Assembly Part Number : 68-5016-02
Top Assembly Revision Number : A0
Version ID : V02
CLEI Code Number : CMMK110ARB
Daughterboard revision number : A0
Hardware Board Revision Number : 0x06

Switch Ports Model SW Version SW Image
------ ----- ----- ---------- ----------
* 1 28 WS-C2960XR-24TS-I 15.0(2)EX4 C2960X-UNIVERSALK9-M

balaji.bandi · ‎01-15-2023

Can you post :

show ip ssh

show ssh

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

JeffK63 · ‎01-15-2023

You bet and thank you for helping me.

Here is the IP ssh:

SSH Enabled - version 1.99
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 1024 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded):
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAYQCkDmXQbdDng79FHdsVfX0yGIxrGA9+kySAcs9U4Uuk
3E3A4Xx05nxm0vG/HBzMcMzMqL47+zVucldVjOxo+ZxuD7xa2M5j5epSiCa9fgECkR5GrReBum6ZiMNu

Here is the "show ssh":

%No SSHv2 server connections running.
%No SSHv1 server connections running.

balaji.bandi · ‎01-15-2023

you can configure ip ssh version 2

and upgrade to latest 15.2.7E7

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-2_7_e/release_notes/rn-1527e-2960x-xr.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

JeffK63 · ‎01-15-2023

Running the update now and let you know the results. Thank for the great advise and I will re-run the scan and let you know the results. Appreciate all the help!

JeffK63 · ‎01-16-2023

Thank you for all your help! Vulnerability scan came back clean and secure now. Appreciate the amazing fast help!

balaji.bandi · ‎01-16-2023

That souds good..thank you for sharing your solution to our community that works.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help