Hi!
"I have the same issue on my Aruba switch Firmware ver 10.10.1070 --current Ver
Secondary ver 10.10.1030.
I want to know how we can upgrade the firmware."
Months have passed...so now simply update your ArubaOS-CX from 10.10.1070 to 10.10.1140 which, among other things, fixes more recent CVEs other than the one you are worried about.
Original Message:
Sent: 9/30/2024 5:46:00 PM
From: babalola
Subject: RE: Aruba CX Switches and Open SSH version 8.7/8.8?
I have the same issue on my Aruba switch Firmware ver 10.10.1070 --current Ver
Secondary ver 10.10.1030.
I want to know how we can upgrade the firmware.
Original Message:
Sent: Aug 02, 2024 02:25 PM
From: parnassus
Subject: Aruba CX Switches and Open SSH version 8.7/8.8?
Hi, have a look to HPE Aruba Networking Product Security Advisory HPESBNW04669 about CVE-2024-6387 "Unauthenticated Remote Code Execution vulnerability in OpenSSH's Server (RegreSSHion)" (Publication Date: 2024-Jul-10, Last Updated: 2024-Jul-31, Status: Confirmed, Severity: High, Revision: 2).
https://csaf.arubanetworks.com/2024/hpe_aruba_networking_-_hpesbnw04669.txt
To recap:
Affected ArubaOS-CX Switches:
- 10.14.0006 and below
- 10.13.1030 and below
- 10.12.1050 and below
- 10.11.1070 and below
- 10.10.1130 and below
- Software Releases prior to ArubaOS-CX version 10.10.xxxx are not affected but are currently End of Support
Fixed ArubaOS-CX Switches:
- 10.14.0007 and above
- 10.13.1031 and above
- 10.10.1131 and above
Original Message:
Sent: 8/2/2024 2:08:00 PM
From: procopius1980
Subject: Aruba CX Switches and Open SSH version 8.7/8.8?
I have a customer who sent me the following message a few minutes ago.
"My security company sent the following about the Aruba switches. Is there an update for this?
This vulnerability impacts versions 8.7/8.8 of the OpenSSH secure networking suite which can lead to a remote code execution. While these internal IPs do not appear to be externally facing, to err the side of caution, we recommend upgrading to the latest secure OpenSSH release."
I was provided with a list of 5 switches that are reportedly running a vulnerable version of OpenSSH. In each case, the switches are running either 10.10.1030 or 10.10.1070, and they are running SSH version 2.0. The customer also has switches running those same firmware versions that were not listed as being vulnerable. My gut tells me that the customer's security scan is picking up a red herring, but I figure it's worth checking here before I brush it off. I have advised the customer that we should upgrade the switches to 10.13.1010, but have yet to receive approval. However, the data I have thus far collected makes me suspicious that this is a firmware issue. Any thoughts?