Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4545
Views
0
Helpful
3
Replies

CIMC SSH/Dropbear Server Vulnerabilities Cisco Bug CSCvb56137

iwearing
Level 1
Level 1

‎04-26-2017 08:19 AM - edited ‎03-01-2019 01:09 PM

Hi,

A recent vulnerability scan has shown a SSH/Dropbear server vulnerability on UCS Managed C240M servers.

Cisco Bug ID CSCvb56137 details the issue.

The C240M servers are managed via UCSM. UCSM was recently upgraded to V3.1.2E along with all Blades and C-Series servers.

UCSM reports that the current CIMC firmware version is 2.0(13H)

Can anybody confirm whether it is possible to disable SSH access to CIMC via UCSM and still have kvm access.

thanks

Ian

0 Helpful
3 Replies 3

Kirk J
Cisco Employee
Cisco Employee

‎04-26-2017 10:11 AM

Greetings.

There is no a way to disable SSH on the CIMCs via the UCSM for the Rack server's CIMCs.  This might actually disable integration (if there was actually a way to do this).

Looks like you will want to consider moving to a fixed in version, which is 3.01c or higher, once a C series bundle is released, as 2.013h is the highest version bundled with any UCSM C series bundles currently.

Thanks,

Kirk...

0 Helpful

iwearing
Level 1
Level 1
In response to Kirk J

‎04-27-2017 01:06 AM

Hi Kirk,

Thanks for your input. Much appreciated.

You wouldn't happen to know when a C-Series bundle will be released with the fix included.

Ian

0 Helpful

Qiese Dides
Cisco Employee
Cisco Employee
In response to iwearing

‎04-27-2017 07:47 AM

Hi Iwearing,

Based on the bug notes it is fixed in the version - 2.0(13h) which was released on December 16th this correlates to UCS Version 3.1(2e).

This correlation can be found from the link below:

http://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/release/notes/CiscoUCSManager-RB-3-1.html

If you navigate to the section labeled

SWT Unified Computing System (UCS) Server Software (C-Series) for 3.1(2e)

You can see the versions for the C-Series bundle would be:

  • ucs-c220-m4-bios.C220M4.2.0.13g.0.1113162259.bin

  • ucs-c220-m4-brdprog.33.0.bin

  • ucs-c220-m4-k9-cimc.2.0.13h.bin

Also regarding the workaround per the bug note:

Workaround:
Disable SSH by going to Communication Service. By which the port 22 would not be open and you would not see this vulnerability. But by disabling SSH service we cannot login into CIMC via CLI. Other interfaces like webUI /XML would still be active and running.

* This is down under the Admin tab in UCS Manager sub-section Communication Service.

* Also to disable IPMI, create an IPMI policy and apply to the service profile. Servers > Policies > Create IPMI Access Profile

Please mark correct answers so other members can easily find solutions on the forum.

Hope this helps,

Qiese Dides

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking products for a $25 gift card