Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
10297
Views
16
Helpful
19
Replies

Openssh version in NX-OS

langoustator
Level 1
Level 1

‎04-08-2014 07:04 AM - edited ‎03-01-2019 07:33 AM

Hello,

 

Is there any document that describes which version of openssh is used in NX-OS releases?

I have some security scans that report openssh vulnerabilities, and I'd like to know if upgrading NX-OS will help me solving these issues.

 

Thanks,

 

Regards,

 

lang

6 people had this problem
Labels:
0 Helpful
19 Replies 19

JAH212
Level 1
Level 1
In response to JAH212

‎12-02-2024 03:58 AM

Hi Jeff, 

Happy to confirm our SecOps team today have confirmed the OpenSSH vulnerability has now updated within our scanning system and its now marked as fixed. So the version I posted earlier 10.3(6)M does appear to resolve the issue.

 

I spoke to Alejandro from Cisco TAC also on this and he provided the following on how to check/validate what version of SSH you are running :-

To validate if a switch is running a fixed version of CiscoSSH you can do the following:

1. Enable "feature bash-shell"

2. Do "run bash"

3. From bash do "/isan/sbin/dcos_sshd -V"

4. If running CiscoSSH 1.13 or higher the device has the patch.

Example:

nxos64-cs.10.3.6.F.bin

F241.04.23-N9K-1(config)# feature bash-shell

F241.04.23-N9K-1(config)#

F241.04.23-N9K-1(config)# run bash

bash-4.4$ /isan/sbin/dcos_sshd -V

unknown option -- V

CiscoSSH 1.13.48, OpenSSH_9.1p1, CiscoSSL 1.1.1y.7.2.569                  >>>>>>>>>>>>>>>>>>>>>>>CiscoSSH 1.13.48

usage: sshd [-46DdeiqTt] [-C connection_spec] [-c host_cert_file]

            [-E log_file] [-f config_file] [-g login_grace_time]

            [-h host_key_file] [-o option] [-p port] [-u len]

bash-4.4$

Hope this helps!

Jeff Horton
Level 1
Level 1

‎12-02-2024 06:50 AM

Thank you for letting me know. I will get the 10.3(6)M loaded on my switches too.

0 Helpful

JAH212
Level 1
Level 1
In response to Jeff Horton

‎12-02-2024 06:57 AM - edited ‎12-02-2024 07:02 AM

No problem at all, if you run the commands from Cisco TAC before/after upgrade to validate - your looking for output that tells you the CiscoSSH version and OpenSSH version, Cisco were saying anything over CiscoSSH version 1.13.x has resolved this vulnerability and if your security software still returns an issue its a "false positive". 

Our systems (after 10.3(6)M) were showing CiscoSSH 1.13.48

Jeff Horton
Level 1
Level 1

‎12-02-2024 07:09 AM

Mine running 10.5.1 is showing: CiscoSSH 1.13.48, OpenSSH_9.1p1, CiscoSSL 1.1.1y.7.3.377-fips

 

0 Helpful

JAH212
Level 1
Level 1
In response to Jeff Horton

‎12-02-2024 07:17 AM

Then you are good on that version from what Cisco explained to me.

Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card