I recently did a vulnerability scan of a 4400 (4404) series wireless LAN controller running 22.214.171.124 and it showed SSH running on port 22 of the management interface. The problem I have is that the vulernability scanner (Nessus) showed the version to be OpenSSH 4.0 according to the SSH banner. Based on this version it has highlighed a large number of potential vulnerabilities including denial of service and privilege escalation issues. I've researched each of these vulnerabilities and they do indeed affect this version of OpenSSH and some of them are quite serious. However, I can find absolutely no reference on the web to this device (or indeed any Cisco device) being vulnerable to these OpenSSH bugs. I can find references to other SSH bugs but these are not the same ones that appear to affect OpenSSH 4.0 and the version of software on the device is not vulnerable to those other ones. I would have imagined with both the popularity of the device and of the vulnerabilitiy scanner that someone would have encountered this before. I'm starting to think now that this is a false positive on the scanner's part or else that Cisco fixes these bugs individually without upgrading the version of OpenSSH in the banner and so it is not affected - but I would have thought there would still be reference to these somewhere online. I'd appreciate any thoughts anyone would have on this.
Some of the vulnearbilities that the scanner are showing against this version of OpenSSH are as follows:
X11 trusted cookie forwarding issue -> (CVE-2007-4752) Potential denial of service by crashing ssh service-> (CVE-2006-4925) Privilege escalation via weak verification of authentication -> (CVE-2006-5794) DoS by forcing keys to be recreated -> (CVE-2007-0726) Uncover 32 bits of plain text from arbitrary block of ciphertext -> (CVE-2008-1483) Hijack X11 session due to binding TCP ports to IPv6 interface instead of IPv4 when IPv4 is in use - CVE-2008-1483 Execute arbitrary commands if a user copies a malicious crafted file via scp -CVE-2008-1483 Execution of commands using weakness in the ForceCommand directive - CVE-2008-1657
Thanks very much for the reponse.That clears up that issue. The Cisco code you give - CSCsx46691 - is that only available to view for certain Cisco membership types? I searched for it on google and on this site but can't find any reference to it. Thanks for posting the content of it!
Listen: https://smarturl.it/CCRS8E33 Follow us: https://twitter.com/ciscochampion The goal for stadium and large venue Wi-Fi is to deliver an exceptional, fast, and reliable wireless experiences to tens of thousands of fan...
We are pleased to announce the immediate availability of the IOS-XE release 17.6.1 for the Catalyst Wireless Controllers. The new code is now posted on the CCO and can be found at this link:
This version now introduces experimental new feature, "Upgrade Advisor, targeted to one of common case generators: what are the supported versions and how to upgrade my current controllers and APs
It supports both AireOS and IOS-XE, covering since ...
Thank you for the overwhelming response to the First and Second EFT refresh of 8.10MR6!
We are excited to announce the third refresh of 8.10 MR6 EFT Program for PRODUCTION deployments.
While the CCO release of 8.10MR6 is just a few we...
Greetings!Thank you for the overwhelming response and feedback for the first 17.3.4 EFT/Beta release.
Now we are excited to announce the second refresh of 17.3.4 EFT/Beta Program for PRODUCTION deployments.
This release is the s...