05-23-2024 06:37 AM
Security has scanned us and found openSSH vulnerabilities. I need to select the best version of NX-OS to upgrade several
nexus 7700. Security did not offer up a CVE, nessus says, " openSSH running on the remote host is prior to 7.8. It is therefore affected by ....... hosbased.c ..... " ect naming vulnerable modules within openSSH.
I am planning nessus 7700 OS upgrade and want to choose the best version taking into account the openSSL / openSSH version used by the NX-OS. based on researching openSSL vulnerabilities, I am pretty sure that openSSH 7.8 will have its own vulnerabilities.
I want to find the version of openSSL used by verious versions of NX-OS.
Thanks in advance.
Solved! Go to Solution.
05-24-2024 06:15 AM
You could open a TAC case and inquire formally.
Or, since 8.4(8) is the latest suggested release, you could just upgrade to that and rescan to see what shows up.
05-23-2024 12:10 PM
They need to give you the relevant CVEs to cite in your research. Cisco doesn't always publish the exact versions used in every release of NX-OS; but you can use the Bug Search Tool to find if there is a fixed version for a given OpenSSH vulnerability.
Note that not all identified vulnerabilities have a released version that fixes them - some are open bugs. You can see in the following document that NX-OS 8.4.2 uses OpenSSH version 6.2.
However, Cisco may configure compensating controls that mitigate the CVE.
This is why a simple Nessus scan is really not the best measure of actual system vulnerability - it often results in false positives.
05-23-2024 12:57 PM
I hope I'm not replying twice, looks like I was too slow and timed out when I had the reply window open. I will be asking for a CVE, they usually send one when they scan and find something. This time there was none. The pdf document does show what I'm looking to find out, however it is for NX-OS version 8.4.2 and our security team scan says I need to be at openSSH 7.8 or higher which may be in the NX-OS I'm looking to go too. However I've done a lot of searching and I can't find a version of that .pdf for these versions of the OS. Do you have any pointers on that? Thank you for your help.
05-24-2024 06:15 AM
You could open a TAC case and inquire formally.
Or, since 8.4(8) is the latest suggested release, you could just upgrade to that and rescan to see what shows up.
05-24-2024 06:22 AM
Thank you. this was my last question before opening a TAC case. I wanted to exhaust all my possibilities before opening the case. I'll not upgrade until I can go to a version that addresses this. Our switches are functioning fine and our exposure is next to nothing. We need a reward for taking the time and risk of upgrading. Thank you Marvin.
05-24-2024 06:31 AM
I agree regarding risk vs. reward.
I hate these scans that find vulnerabilities that are often applicable to "remote authenticated attackers" when the only people with authentication privileges on the devices are administrators to begin with. It's lazy security auditing in my opinion.
You can just put in a compensating control to block the scanning host from your vty lines. : )
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide