cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
12193
Views
16
Helpful
20
Replies

Openssh version in NX-OS

langoustator
Level 1
Level 1

Hello,

 

Is there any document that describes which version of openssh is used in NX-OS releases?

I have some security scans that report openssh vulnerabilities, and I'd like to know if upgrading NX-OS will help me solving these issues.

 

Thanks,

 

Regards,

 

lang

20 Replies 20

Bilal Nawaz
VIP Alumni
VIP Alumni

Hello lang,

Not that I know of, however if you ssh to the NXs from a Linux box using verbose mode that might give you more information. I would raise this with TAC as they may be able to give you more information and better advice.

Do you have access-class configured under the vty lines to restrict ssh access?

Also was this an authenticated scan?

Hope this helps

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Hi Bilal,

Thanks for your answer.

It was an scan running from the inside, with an authorized IP.

Yes, I know about the current version, but I'm interested in the most recent ones, and unfortunately I don't have access to a device running these versions. I guess I'll go the TAC way then.

Rgds

 

Shrikant Sakwan
Level 1
Level 1

Has anybody knows how to check the OpenSSH version in nexus swiches

 

cchughes
Level 1
Level 1

I have the same question.  Cyber Insurance performed a scan and says the Nexus openssh version should be upgraded or patched to address DDOS vulnerabilities.

mhabiballa
Level 1
Level 1

10 years later! I landed here looking for answer because of the CVE-2024-6387 openssh vulnerability. As Bilal Nawaz said, I issued ssh -v from a linux box to the nexus sw, I was able to identify the openssh version running on it.

ExplicitDeny
Level 1
Level 1

If you're fortunate enough to have something like SecureCRT you can enable 'Trace Options' that will give you that "verbose" output when establishing a session. There will be an output similar to: [LOCAL] : RECV : Remote Identifier = 'SSH-1.0 OpenSSH_1.1 PKIX[1.1.1 FIPS]'.

Jeff Horton
Level 3
Level 3

Ours are currently running the following: CiscoSSH 1.13.48, OpenSSH_9.1p1, CiscoSSL 1.1.1y.7.3.377-fips.

Ours security scanners says it needs to be OpenSSH_9.8.1.

In the latest documentation for the 10.5.1 NX-OS version, it says it fixed the OpenSSH 9.5.1p1 from CSCwj01180. But when I look this up, there is nothing. The version 10.5.1 still has OpenSSH 9.1p1.

Will this ever be fixed.

 

Same exact issue. You are not alone.

We are using same version 10.5.1. Cisco suggested to upgrade it to 10.5.2, which will include the updated OpenSSH version that address the vulnerabilities.

schadracpierre
Level 1
Level 1

 

Please update the Nexus switch to the current good version. I've attached a file for you to look over.

 

 

Still comes up on the vulnerability scans as high on OpenSSH even after upgrading to 10.3(6)M. 

Security scans say it needs to be OpenSSH_9.8.1, but NXOS 10.3(6)M still matches on OpenSSH_9.1.

What are Cisco's plans to resolve?

10.3.6 should fix it, but make sure that you download one with the asterisk
as labeled in the screenshot.

Schadrac

Thanks for the response - we are using this version below (current Cisco recommended), the scans have re-ran and still identifying this issue as "high" vulnerability - I will try and get the security team to re-scan from scratch as i'm thinking they have some held data from previous scans. (as you've confirmed it should be resolved).

nxosV.PNG

I would like to know the results of this please. I am waiting to downgrade to this version if it fixes the vulnerability issue.

 

Review Cisco Networking for a $25 gift card