04-26-2017 08:19 AM - edited 03-01-2019 01:09 PM
Hi,
A recent vulnerability scan has shown a SSH/Dropbear server vulnerability on UCS Managed C240M servers.
Cisco Bug ID CSCvb56137 details the issue.
The C240M servers are managed via UCSM. UCSM was recently upgraded to V3.1.2E along with all Blades and C-Series servers.
UCSM reports that the current CIMC firmware version is 2.0(13H)
Can anybody confirm whether it is possible to disable SSH access to CIMC via UCSM and still have kvm access.
thanks
Ian
04-26-2017 10:11 AM
Greetings.
There is no a way to disable SSH on the CIMCs via the UCSM for the Rack server's CIMCs. This might actually disable integration (if there was actually a way to do this).
Looks like you will want to consider moving to a fixed in version, which is 3.01c or higher, once a C series bundle is released, as 2.013h is the highest version bundled with any UCSM C series bundles currently.
Thanks,
Kirk...
04-27-2017 01:06 AM
Hi Kirk,
Thanks for your input. Much appreciated.
You wouldn't happen to know when a C-Series bundle will be released with the fix included.
Ian
04-27-2017 07:47 AM
Hi Iwearing,
Based on the bug notes it is fixed in the version - 2.0(13h) which was released on December 16th this correlates to UCS Version 3.1(2e).
This correlation can be found from the link below:
http://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/release/notes/CiscoUCSManager-RB-3-1.html
If you navigate to the section labeled
You can see the versions for the C-Series bundle would be:
ucs-c220-m4-bios.C220M4.2.0.13g.0.1113162259.bin
ucs-c220-m4-brdprog.33.0.bin
ucs-c220-m4-k9-cimc.2.0.13h.bin
Also regarding the workaround per the bug note:
Workaround:
Disable SSH by going to Communication Service. By which the port 22 would not be open and you would not see this vulnerability. But by disabling SSH service we cannot login into CIMC via CLI. Other interfaces like webUI /XML would still be active and running.
* This is down under the Admin tab in UCS Manager sub-section Communication Service.
* Also to disable IPMI, create an IPMI policy and apply to the service profile. Servers > Policies > Create IPMI Access Profile
Please mark correct answers so other members can easily find solutions on the forum.
Hope this helps,
Qiese Dides
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide