cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2446
Views
1
Helpful
4
Replies

Open SSL in Cisco Nexus 9K Devices

We use Nexus 9K (C9396PX) in our data ceter.

These Switches have been detected with Vulnerability Cisco Nexus OpenSSL Multiple Vulnerabilities (cisco-sa-20160504-openssl) and Cisco OpenSSL Multiple Vulnerabilities (cisco-sa-20160302-openssl).

We are not using HTTP or LDAP features in our network but they are still showing vulnerable in our scanning tool.

I wanted to understand where exactly Open SSL Comes into picture in Cisco Devices.

Is there any way to know which features in the switch use Open SSL?

If we do not need the features and disable it, we can at least make the device less vulnerable.

1 Accepted Solution

Accepted Solutions

This is cisco's proprietary information. Nexus software is developed by OpenSSL. Keep in mind, OpenSSL is an encryption method used internally for essential services and components can't be separated (e.g. certificates and authentication). I hope this answers your question. 

Please rate if helpful to benefit others. Thanks!

View solution in original post

4 Replies 4

Austin Sabio
Level 4
Level 4

OpenSSL is an open-source security library 'encryption tool' that implements SSL and TLS protocols and most of Cisco products software are developed by OpenSSL. Cisco provides the fix for such vulnerabilities in fixed releases keep in mind there's no workaround in these cases check the details in cisco bug section. Lastly, upgrading nexus code is a major change that most organization don't do that often for every vulnerability. Good luck!

"This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://www.openssl.org/). This product includes software written by Tim Hudson (tjh@cryptsoft.com)."

http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/7-x/release/notes/70322b_patch_nxos_rn.html

Hi There,

Thanks for the reply. I referred the same documentation. But which features use SSL and TSL protocols in Nexus.

From my previous knowledge I know if we enable Secure web login (HTTPS) on devices, these protocols are used. But not sure if any other features use them.

As you said, even we are reluctant to do firmware upgrade just to close the vulnerability.

This is cisco's proprietary information. Nexus software is developed by OpenSSL. Keep in mind, OpenSSL is an encryption method used internally for essential services and components can't be separated (e.g. certificates and authentication). I hope this answers your question. 

Please rate if helpful to benefit others. Thanks!

The security scanner is reporting an older version of OpenSSL in use on ACI version 5.2(8h). Is there a software release that addresses this issue? 

Path : /lib/libcrypto.so.1.0.0
Installed version : 1.0.2k
Security End of Life : January 1, 2020
Time since Security End of Life (Est.) : >= 4 years

Review Cisco Networking for a $25 gift card