Solved: How to find the version of openSSL used by verious versions of NX-OS

Richard-Strong · ‎05-23-2024

Security has scanned us and found openSSH vulnerabilities. I need to select the best version of NX-OS to upgrade several

nexus 7700. Security did not offer up a CVE, nessus says, " openSSH running on the remote host is prior to 7.8. It is therefore affected by ....... hosbased.c ..... " ect naming vulnerable modules within openSSH.

I am planning nessus 7700 OS upgrade and want to choose the best version taking into account the openSSL / openSSH version used by the NX-OS. based on researching openSSL vulnerabilities, I am pretty sure that openSSH 7.8 will have its own vulnerabilities.

I want to find the version of openSSL used by verious versions of NX-OS.

Thanks in advance.

Marvin Rhoads · ‎05-24-2024

You could open a TAC case and inquire formally.

Or, since 8.4(8) is the latest suggested release, you could just upgrade to that and rescan to see what shows up.

View solution in original post

Marvin Rhoads · ‎05-23-2024

They need to give you the relevant CVEs to cite in your research. Cisco doesn't always publish the exact versions used in every release of NX-OS; but you can use the Bug Search Tool to find if there is a fixed version for a given OpenSSH vulnerability.

For example:
https://bst.cloudapps.cisco.com/bugsearch?pf=prdNm&prdNam=Cisco%20Nexus%207700%2010-Slot%20Switch&kw=openssh&bt=custV&sb=anfr

Note that not all identified vulnerabilities have a released version that fixes them - some are open bugs. You can see in the following document that NX-OS 8.4.2 uses OpenSSH version 6.2.

https://www.cisco.com/c/dam/en/us/td/docs/switches/datacenter/nexus7000/sw/open_source_doc/Cisco_NX-OS_Software_Release_8_4_3_Open_Source_Documentation.pdf

However, Cisco may configure compensating controls that mitigate the CVE.

This is why a simple Nessus scan is really not the best measure of actual system vulnerability - it often results in false positives.

Richard-Strong · ‎05-23-2024

I hope I'm not replying twice, looks like I was too slow and timed out when I had the reply window open. I will be asking for a CVE, they usually send one when they scan and find something. This time there was none. The pdf document does show what I'm looking to find out, however it is for NX-OS version 8.4.2 and our security team scan says I need to be at openSSH 7.8 or higher which may be in the NX-OS I'm looking to go too. However I've done a lot of searching and I can't find a version of that .pdf for these versions of the OS. Do you have any pointers on that? Thank you for your help.

Marvin Rhoads · ‎05-24-2024

You could open a TAC case and inquire formally.

Or, since 8.4(8) is the latest suggested release, you could just upgrade to that and rescan to see what shows up.

Richard-Strong · ‎05-24-2024

Thank you. this was my last question before opening a TAC case. I wanted to exhaust all my possibilities before opening the case. I'll not upgrade until I can go to a version that addresses this. Our switches are functioning fine and our exposure is next to nothing. We need a reward for taking the time and risk of upgrading. Thank you Marvin.

Marvin Rhoads · ‎05-24-2024

I agree regarding risk vs. reward.

I hate these scans that find vulnerabilities that are often applicable to "remote authenticated attackers" when the only people with authentication privileges on the devices are administrators to begin with. It's lazy security auditing in my opinion.

You can just put in a compensating control to block the scanning host from your vty lines. : )