cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4781
Views
0
Helpful
3
Replies

CIMC SSH/Dropbear Server Vulnerabilities Cisco Bug CSCvb56137

iwearing
Level 1
Level 1

Hi,

A recent vulnerability scan has shown a SSH/Dropbear server vulnerability on UCS Managed C240M servers.

Cisco Bug ID CSCvb56137 details the issue.

The C240M servers are managed via UCSM. UCSM was recently upgraded to V3.1.2E along with all Blades and C-Series servers.

UCSM reports that the current CIMC firmware version is 2.0(13H)

Can anybody confirm whether it is possible to disable SSH access to CIMC via UCSM and still have kvm access.

thanks

Ian

3 Replies 3

Kirk J
Cisco Employee
Cisco Employee

Greetings.

There is no a way to disable SSH on the CIMCs via the UCSM for the Rack server's CIMCs.  This might actually disable integration (if there was actually a way to do this).

Looks like you will want to consider moving to a fixed in version, which is 3.01c or higher, once a C series bundle is released, as 2.013h is the highest version bundled with any UCSM C series bundles currently.

Thanks,

Kirk...

Hi Kirk,

Thanks for your input. Much appreciated.

You wouldn't happen to know when a C-Series bundle will be released with the fix included.

Ian

Hi Iwearing,

Based on the bug notes it is fixed in the version - 2.0(13h) which was released on December 16th this correlates to UCS Version 3.1(2e).

This correlation can be found from the link below:

http://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/release/notes/CiscoUCSManager-RB-3-1.html

If you navigate to the section labeled

SWT Unified Computing System (UCS) Server Software (C-Series) for 3.1(2e)

You can see the versions for the C-Series bundle would be:

  • ucs-c220-m4-bios.C220M4.2.0.13g.0.1113162259.bin

  • ucs-c220-m4-brdprog.33.0.bin

  • ucs-c220-m4-k9-cimc.2.0.13h.bin

Also regarding the workaround per the bug note:

Workaround:
Disable SSH by going to Communication Service. By which the port 22 would not be open and you would not see this vulnerability. But by disabling SSH service we cannot login into CIMC via CLI. Other interfaces like webUI /XML would still be active and running.

* This is down under the Admin tab in UCS Manager sub-section Communication Service.

* Also to disable IPMI, create an IPMI policy and apply to the service profile. Servers > Policies > Create IPMI Access Profile

Please mark correct answers so other members can easily find solutions on the forum.

Hope this helps,

Qiese Dides

Review Cisco Networking for a $25 gift card

Review Cisco Networking for a $25 gift card