cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6905
Views
16
Helpful
19
Replies

Openssh version in NX-OS

langoustator
Level 1
Level 1

Hello,

 

Is there any document that describes which version of openssh is used in NX-OS releases?

I have some security scans that report openssh vulnerabilities, and I'd like to know if upgrading NX-OS will help me solving these issues.

 

Thanks,

 

Regards,

 

lang

19 Replies 19

Bilal Nawaz
VIP Alumni
VIP Alumni

Hello lang,

Not that I know of, however if you ssh to the NXs from a Linux box using verbose mode that might give you more information. I would raise this with TAC as they may be able to give you more information and better advice.

Do you have access-class configured under the vty lines to restrict ssh access?

Also was this an authenticated scan?

Hope this helps

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Hi Bilal,

Thanks for your answer.

It was an scan running from the inside, with an authorized IP.

Yes, I know about the current version, but I'm interested in the most recent ones, and unfortunately I don't have access to a device running these versions. I guess I'll go the TAC way then.

Rgds

 

Shrikant Sakwan
Level 1
Level 1

Has anybody knows how to check the OpenSSH version in nexus swiches

 

cchughes
Level 1
Level 1

I have the same question.  Cyber Insurance performed a scan and says the Nexus openssh version should be upgraded or patched to address DDOS vulnerabilities.

mhabiballa
Level 1
Level 1

10 years later! I landed here looking for answer because of the CVE-2024-6387 openssh vulnerability. As Bilal Nawaz said, I issued ssh -v from a linux box to the nexus sw, I was able to identify the openssh version running on it.

ExplicitDeny
Level 1
Level 1

If you're fortunate enough to have something like SecureCRT you can enable 'Trace Options' that will give you that "verbose" output when establishing a session. There will be an output similar to: [LOCAL] : RECV : Remote Identifier = 'SSH-1.0 OpenSSH_1.1 PKIX[1.1.1 FIPS]'.

Jeff Horton
Level 1
Level 1

Ours are currently running the following: CiscoSSH 1.13.48, OpenSSH_9.1p1, CiscoSSL 1.1.1y.7.3.377-fips.

Ours security scanners says it needs to be OpenSSH_9.8.1.

In the latest documentation for the 10.5.1 NX-OS version, it says it fixed the OpenSSH 9.5.1p1 from CSCwj01180. But when I look this up, there is nothing. The version 10.5.1 still has OpenSSH 9.1p1.

Will this ever be fixed.

 

Same exact issue. You are not alone.

schadracpierre
Level 1
Level 1

 

Please update the Nexus switch to the current good version. I've attached a file for you to look over.

 

 

Still comes up on the vulnerability scans as high on OpenSSH even after upgrading to 10.3(6)M. 

Security scans say it needs to be OpenSSH_9.8.1, but NXOS 10.3(6)M still matches on OpenSSH_9.1.

What are Cisco's plans to resolve?

10.3.6 should fix it, but make sure that you download one with the asterisk
as labeled in the screenshot.

Schadrac

Thanks for the response - we are using this version below (current Cisco recommended), the scans have re-ran and still identifying this issue as "high" vulnerability - I will try and get the security team to re-scan from scratch as i'm thinking they have some held data from previous scans. (as you've confirmed it should be resolved).

nxosV.PNG

I would like to know the results of this please. I am waiting to downgrade to this version if it fixes the vulnerability issue.

 

I'll update here once i have more information Jeff.

Review Cisco Networking for a $25 gift card