A recent vulnerability scan has shown a SSH/Dropbear server vulnerability on UCS Managed C240M servers.
Cisco Bug ID CSCvb56137 details the issue.
The C240M servers are managed via UCSM. UCSM was recently upgraded to V3.1.2E along with all Blades and C-Series servers.
UCSM reports that the current CIMC firmware version is 2.0(13H)
Can anybody confirm whether it is possible to disable SSH access to CIMC via UCSM and still have kvm access.
There is no a way to disable SSH on the CIMCs via the UCSM for the Rack server's CIMCs. This might actually disable integration (if there was actually a way to do this).
Looks like you will want to consider moving to a fixed in version, which is 3.01c or higher, once a C series bundle is released, as 2.013h is the highest version bundled with any UCSM C series bundles currently.
Based on the bug notes it is fixed in the version - 2.0(13h) which was released on December 16th this correlates to UCS Version 3.1(2e).
This correlation can be found from the link below:
If you navigate to the section labeled
You can see the versions for the C-Series bundle would be:
Also regarding the workaround per the bug note:
Disable SSH by going to Communication Service. By which the port 22 would not be open and you would not see this vulnerability. But by disabling SSH service we cannot login into CIMC via CLI. Other interfaces like webUI /XML would still be active and running.
* This is down under the Admin tab in UCS Manager sub-section Communication Service.
* Also to disable IPMI, create an IPMI policy and apply to the service profile. Servers > Policies > Create IPMI Access Profile
Please mark correct answers so other members can easily find solutions on the forum.
Hope this helps,