Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
345
Views
4
Helpful
2
Replies

UCS C220 M4S CIMC vulnerability - OpenSSH <9.6 plugin 187201

Halsser
Level 1
Level 1

‎02-09-2025 08:43 AM

Our security team has detected a vulnerability with the Cisco UCS C220 M4S CIMC. We need your assistance in addressing this or finding any \justification from Cisco regarding it.

Here is the vulnerability:

https://www.tenable.com/plugins/nessus/187201

CVE: CVE-2023-48795CVE-2023-51384CVE-2023-51385

2 Replies 2

BrianSekleckiGE
Level 1
Level 1

‎02-10-2025 01:11 PM - edited ‎02-17-2025 12:46 AM

Every embedded GNU/Linux based device in the world started scanning positive for that.   I'm working with vendors still shipping new OVAs, freshly built last month, still based RHELv7, with unpatched OpenSSH v7.4 from 2016. 

It would be convenient to blame the VARs, but really these Linux distros have terrible release engineering. 

And, even if VAR backports the hotfixes from OpenSSH v9.9, the Nessus plugin REGEX matching will probably still flag it as vulnerable ("openssh-7.4pX.rhel7.x86_x4") because of the RPM numbering scheme. 

Hopefully Cisco can release a firmware patch for C220 M4S CIMC before Dell patches iDRAC9?  Or at least adjust the cipher suites.

Also, CIMCs should be a only have L3 ACLs so that they're only reachable from operator engineering stations and NMS, tucked away on VLANs in a private management VRF, so you can come back to the Nessus team with a reduced risk assessment finding. 

 

BrianSekleckiGE_0-1739781936657.png

 

Kirk J
Cisco Employee
Cisco Employee

‎02-17-2025 07:48 AM - edited ‎02-17-2025 08:23 AM

The M4s are well beyond Last Day of support/LDOS.

There is no code development/updates being released for M4s.

 

https://www.cisco.com/c/en/us/products/collateral/servers-unified-computing/ucs-c-series-rack-servers/eos-eol-notice-c51-741235.html

End of Vulnerability/Security Support:
HW

The last date that Cisco Engineering may release a planned maintenance release or scheduled software remedy for a security vulnerability issue.

February 29, 2024

 

Last Date of Support:
HW

The last date to receive applicable service and support for the product as entitled by active service contracts or by warranty terms and conditions. After this date, all support services for the product are unavailable, and the product becomes obsolete.

February 29, 2024

For current gear's IMC (i.e. M5, M6, etc) , there are updates, https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwi59840  which specifies which release version has a fix.

Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card

Review Cisco Networking for a $25 gift card