Re: FTD and FMC 7.4.1.1 downgrades SSH to 9.1 - Now more vulnerable

kbenedict1 · ‎04-29-2024

Title says it all. Anyone encounter this yet?

marce1000 · ‎04-29-2024

>...Title says it all.
- It doesn't or even 'far less' ;

- How did you determine that SSH was downgraded , how do you retrieve the 9.1 version info ?
- Why do you think it is now more vulnerable ? What testing methodologies did you use to conclude that ?

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

kbenedict1 · ‎04-30-2024

Putty event log reports 9.1 is the remote client.

Nessus scan reports 9.1.

CVE-2023-48795, CVE-2023-51384, CVE-2023-51385 are the known vulnerabilities.

Any other questions? I was hoping for a Cisco response on why they’re are packaging vulnerable versions of SSH in new software upgrades, not a challenge of basic understanding of viewing a putty log and looking up known CVEs.

marce1000 · ‎04-30-2024

>... I was hoping for a Cisco response
- You are on a support forum populated by Cisco customers on a volunteering basis. For official support and letting Cisco know your concerns you need to create a TAC case ,

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

kbenedict1 · ‎04-30-2024

Opening a TAC case was the first thing I did. I was wondering if anyone else is encountering this, and if they are, what are they doing. Anyone who has to meet any sort of compliance should be talking about this. It's odd that it's eerily quiet.

marce1000 · ‎04-30-2024

- I can follow you on those considerations and or perhaps others already having TAC cases launched and getting insights (sometimes....) ,

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

marce1000 · ‎04-30-2024

(-Added) : https://sec.cloudapps.cisco.com/security/center/home.x#:

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Marvin Rhoads · ‎04-30-2024

My Firepower 7.2.5 reports OpenSSH 8.0.

I scanned a 7.4.1.1 FMC and it reports 9.1 (as does a 7.6 beta FMC)

What version did you see with something higher than 9.1?

kbenedict1 · ‎04-30-2024

Yes, it's 9.1 for 7.4.1.1. The problem is that the aforementioned CVEs are all about SSH versions less than 9.6. I understand that Cisco says they're not vulnerable, but many are, so I'm wondering why they think they're not.

Marvin Rhoads · ‎04-30-2024

It appears some FX-OS versions are affected and that Cisco has developed a fix internally that is not yet posted.

The "Fixed release" build number can be a bit challenging to decipher but it appears 2.14.1.149 and higher have the fix (2.14.1.143 is the latest available on the downloads site as of today (1 May 2024).

Reference: https://bst.cisco.com/bugsearch/bug/CSCwi60430

I would cite that in your open TAC case. Please let us know what they say.

I have yet to see where Cisco downgraded any previously included OpenSSH module present in any previously released FMC or FTD.