cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5850
Views
0
Helpful
7
Replies

Need to upgrade dropbear to 2012.55

Michael Ricci
Level 1
Level 1

I have a C210 M2 that has a security vulnerabily with dropbear, so I have to upgrade to version 2012.55. I've never upgraded this, nor even HEARD of this before, and I can't find any well written documentation either.

Can anyone provide step-by-step instuctions on how to upgrade? I think I downloaded the correct file, it is called dropbear_2012.55.orig.tar.gz

1 Accepted Solution

Accepted Solutions

I am getting clarity on this.  Initial feedback is that CIMC was reviewed for this exploit and deemed not vulnerable as we do not have public key authentication enabled.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0920

Use-after-free vulnerability in Dropbear SSH Server 0.52 through 2012.54, when command restriction and public key authentication are enabled, allows remote authenticated users to execute arbitrary code and bypass command restrictions via multiple crafted command requests, related to "channels concurrency.

CSCtz41855    CVE-2012-0920 Dropbear Vulnerability CIMC

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtz41855

Unfortunately, the bug details have not been make public.

Thank You,

Dan Laden

Need assistance with an implementation?

http://www.cisco.com/go/pdihelpdesk

View solution in original post

7 Replies 7

Daniel Laden
Level 4
Level 4

One is not able to update subelements of the CIMC.  I would need to upgrade the entire CIMC.  If upgrading, it is recommended to use the Host Upgrade Utility to upgrade all elements to the same release familiy associated to the CIMC version (on same HUU utility).

Release Notes for Cisco UCS C-Series Software, Release 1.4(6)

http://www.cisco.com/en/US/docs/unified_computing/ucs/release/notes/OL-27678-01.html

Cisco Host Upgrade Utility Release 1.4(6) Quick Start Guide

http://www.cisco.com/en/US/docs/unified_computing/ucs/c/sw/lomug/1.4.x/install/b_huu_1_4_6x.html

What pointed you to want to upgrade the dropbear version?  Was it  CVE-2012-0920? 

Thank You,

Dan Laden

Need assistance with an implementation?

http://www.cisco.com/go/pdihelpdesk

Thanks for your response Dan.

Yes, I am upgrading in response to CVE-2012-0920. I upgraded to firmware version 1.4(3p) on the CIMC last week. This was the latest firmware I was authorized to upgrade up to, but I was still hit on an IA scan yesterday as having an older version of dropbear.

What other steps do I need to take?

Thanks

I am getting clarity on this.  Initial feedback is that CIMC was reviewed for this exploit and deemed not vulnerable as we do not have public key authentication enabled.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0920

Use-after-free vulnerability in Dropbear SSH Server 0.52 through 2012.54, when command restriction and public key authentication are enabled, allows remote authenticated users to execute arbitrary code and bypass command restrictions via multiple crafted command requests, related to "channels concurrency.

CSCtz41855    CVE-2012-0920 Dropbear Vulnerability CIMC

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtz41855

Unfortunately, the bug details have not been make public.

Thank You,

Dan Laden

Need assistance with an implementation?

http://www.cisco.com/go/pdihelpdesk

How do we verify that public key authentication is enabled or disabled?

Another bug on the topic.  This bug explicitly states C-Series, CVE-2012-0920, and that its not impacting.

CVE-2012-0920 Dropbear Vulnerability - CIMC - C-Series

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtz41952

I dont know as an end user, one can confirm public key authentication is enabled or disabled.

Thank You,

Dan Laden

Need assistance with an implementation?

http://www.cisco.com/go/pdihelpdesk

I was also advised the CIMC version 1.5x will have the updated beardrop as well.  Timeline unknown, you should be able to get that from your Channel SE.

Thank You,

Dan Laden

Need assistance with an implementation?

http://www.cisco.com/go/pdihelpdesk

I have the CISCO WIRELESS-AC VPN ROUTER-RV134W on a a PCI ASV scan informed to upgrade to Dropbear SSH 2016.74 or later. I am unable to find the steps of how to upgrade the Dropbear after locating the latest version.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: