cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Bookmark
|
Subscribe
|
10285
Views
16
Helpful
19
Replies

Openssh version in NX-OS

langoustator
Level 1
Level 1

Hello,

 

Is there any document that describes which version of openssh is used in NX-OS releases?

I have some security scans that report openssh vulnerabilities, and I'd like to know if upgrading NX-OS will help me solving these issues.

 

Thanks,

 

Regards,

 

lang

19 Replies 19

Hi Jeff, 

Happy to confirm our SecOps team today have confirmed the OpenSSH vulnerability has now updated within our scanning system and its now marked as fixed. So the version I posted earlier 10.3(6)M does appear to resolve the issue.

 

I spoke to Alejandro from Cisco TAC also on this and he provided the following on how to check/validate what version of SSH you are running :-

To validate if a switch is running a fixed version of CiscoSSH you can do the following:

1. Enable "feature bash-shell"

2. Do "run bash"

3. From bash do "/isan/sbin/dcos_sshd -V"

4. If running CiscoSSH 1.13 or higher the device has the patch.

Example:

nxos64-cs.10.3.6.F.bin

F241.04.23-N9K-1(config)# feature bash-shell

F241.04.23-N9K-1(config)#

F241.04.23-N9K-1(config)# run bash

bash-4.4$ /isan/sbin/dcos_sshd -V

unknown option -- V

CiscoSSH 1.13.48, OpenSSH_9.1p1, CiscoSSL 1.1.1y.7.2.569                  >>>>>>>>>>>>>>>>>>>>>>>CiscoSSH 1.13.48

usage: sshd [-46DdeiqTt] [-C connection_spec] [-c host_cert_file]

            [-E log_file] [-f config_file] [-g login_grace_time]

            [-h host_key_file] [-o option] [-p port] [-u len]

bash-4.4$

Hope this helps!

Jeff Horton
Level 1
Level 1

Thank you for letting me know. I will get the 10.3(6)M loaded on my switches too.

No problem at all, if you run the commands from Cisco TAC before/after upgrade to validate - your looking for output that tells you the CiscoSSH version and OpenSSH version, Cisco were saying anything over CiscoSSH version 1.13.x has resolved this vulnerability and if your security software still returns an issue its a "false positive". 

Our systems (after 10.3(6)M) were showing CiscoSSH 1.13.48

Jeff Horton
Level 1
Level 1

Mine running 10.5.1 is showing: CiscoSSH 1.13.48, OpenSSH_9.1p1, CiscoSSL 1.1.1y.7.3.377-fips

 

Then you are good on that version from what Cisco explained to me.

Review Cisco Networking for a $25 gift card