Re: OpenSSH 7.4 Not Installed

csechiat · ‎2020-03-31

Hello,

I have an FAS2554 system that is off support so asking here. The system was upgraded to 9.7P1 recently. Our Qualys scanner tagged the array as not running openssh 7.4 even though this should of been fixed in 9.3P6 per https://security.netapp.com/advisory/ntap-20171130-0002/.

Any ideas on how to fix this? Did I miss something during the upgrade? I did use the non data encryption image during all upgrades.

Thank you

Chris

Telnet to the vip shows:

 telnet 192.168.X.X 22
Trying 192.168.X.X...
Connected to 192.168.X.X.
Escape character is '^]'.
SSH-2.0-OpenSSH_7.2 FreeBSD-20160310

Protocol mismatch.
Connection closed by foreign host.

           Package   Start      Completion              Previous  Updated
Status     Version   Time       Time       Component ID Version   Version
---------- --------- ---------- ---------- ------------ --------- ---------
successful 9.1P20    3/17/2020  3/17/2020  hostname     8.3.2P2   9.1P20
                     16:43:30   17:05:01   hostname    
successful 9.3P18    3/17/2020  3/17/2020  hostname     9.1P20    9.3P18
                     18:33:20   18:53:43   hostname    
successful 9.4P8     3/18/2020  3/18/2020  hostname     9.3P18    9.4P8
                     12:32:54   12:53:53   hostname    
successful 9.5P11    3/18/2020  3/18/2020  hostname     9.4P8     9.5P11
                     14:58:55   15:19:58   hostname    
successful 9.7P1     3/18/2020  3/18/2020  hostname     9.5P11    9.7P1
                     15:51:29   16:16:11   hostname    
successful 9.1P20    3/17/2020  3/17/2020  hostname     8.3.2P2   9.1P20
                     16:43:30   18:17:48   hostname    
successful 9.3P18    3/17/2020  3/17/2020  hostname     9.1P20    9.3P18
                     18:33:20   19:12:49   hostname    
successful 9.4P8     3/18/2020  3/18/2020  hostname     9.3P18    9.4P8
                     12:32:54   13:12:31   hostname    
successful 9.5P11    3/18/2020  3/18/2020  hostname     9.4P8     9.5P11
                     14:58:55   15:38:23   hostname    
successful 9.7P1     3/18/2020  3/18/2020  hostname     9.5P11    9.7P1
                     15:51:29   16:35:00   
10 entries were displayed.

Any ideas on how to fix this? Did I miss something during the upgrade?

TMACMD · ‎2020-03-31

Very possibly something is wrong.

If I am reading that correctly:

successful 9.1P20    3/17/2020  3/17/2020  hostname     8.3.2P2   9.1P20
                     16:43:30   17:05:01   hostname
Less than 90 minutes later 
successful 9.3P18    3/17/2020  3/17/2020  hostname     9.1P20    9.3P18
                     18:33:20   18:53:43   hostname    
About 18 hours later:
successful 9.4P8     3/18/2020  3/18/2020  hostname     9.3P18    9.4P8
                     12:32:54   12:53:53   hostname
About 2 hours later:    
successful 9.5P11    3/18/2020  3/18/2020  hostname     9.4P8     9.5P11
                     14:58:55   15:19:58   hostname   
And finally 32 minutes later: 
successful 9.7P1     3/18/2020  3/18/2020  hostname     9.5P11    9.7P1
                     15:51:29   16:16:11   hostname

That's really aggressive. I would never have tried that. As a rule, I like to let the upgrade settle for at least 24 hours to let any long-running background processes finish. What does "cluster upgrade-revert show" indicate?

It is possible that it is a display issue. The BUG associated with this was fixed in 9.3P6 and all releases forward

csechiat · ‎2020-03-31

The cluster is not prod. We have 2 others to upgrade that are prod so I am using this one to experiment.

I just fixed some TLS1 issues with this - https://kb.netapp.com/app/answers/answer_view/a_id/1029776/~/how-to-harden-ontap-9-tls-configuration-

SSH still shows 7.2 after TLS fix.

There doesn't appear to be a 'cluster upgrade-revert show' command.

hostname::*> system node upgrade-revert show

Node: hostname-01                                  Status:
                                                              complete

Status Message: The upgrade is complete.


Vers Phase      Status   Upgrade Phase Status Message
---- ---------- -------- ------------------------------------------------------
510  pre-root   applied  No upgrade is required for this phase.
510  pre-apps   applied  Upgrade successful.
510  post-apps  applied  Upgrade successful.
700  pre-root   applied  No upgrade is required for this phase.
700  pre-apps   applied  Upgrade successful.
700  post-apps  applied  Upgrade successful.
800  pre-root   applied  No upgrade is required for this phase.
800  pre-apps   applied  Upgrade successful.
800  post-apps  applied  Upgrade successful.
900  pre-root   applied  No upgrade is required for this phase.
900  pre-apps   applied  Upgrade successful.
900  post-apps  applied  Upgrade successful.
1100 pre-root   applied  No upgrade is required for this phase.
1100 pre-apps   applied  Upgrade successful.
1100 post-apps  applied  Upgrade successful.

Node: hostname-02                                  Status:
                                                              complete

Status Message: The upgrade is complete.


Vers Phase      Status   Upgrade Phase Status Message
---- ---------- -------- ------------------------------------------------------
510  pre-root   applied  No upgrade is required for this phase.
510  pre-apps   applied  Upgrade successful.
510  post-apps  applied  Upgrade successful.
700  pre-root   applied  No upgrade is required for this phase.
700  pre-apps   applied  Upgrade successful.
700  post-apps  applied  Upgrade successful.
800  pre-root   applied  No upgrade is required for this phase.
800  pre-apps   applied  Upgrade successful.
800  post-apps  applied  Upgrade successful.
900  pre-root   applied  No upgrade is required for this phase.
900  pre-apps   applied  Upgrade successful.
900  post-apps  applied  Upgrade successful.
1100 pre-root   applied  No upgrade is required for this phase.
1100 pre-apps   applied  Upgrade successful.
1100 post-apps  applied  Upgrade successful.
30 entries were displayed.

kryan · ‎2020-04-01

ONTAP versions 9.3-9.7 have a base version of OpenSSH 7.2p2.

If an advisory shows a versions of ONTAP as fixed then either a patch was back ported or a configuration change was made to prevent exploit.

Greg_Wilson · ‎2021-01-20

So I just one of these from a client

They were scanning with Qualys.

(OpenSSH 7.4 Not Installed Multiple Vulnerabilities)

So are we saying CDOT has OpenSSH 7.2 latest Patch rev ?

TMACMD · ‎2021-01-20

Never trust any external scans of any ontap cluster

Netapp uses modules inside and patches those modules. External scanners cannot effectively determine what Is actually true

Teneble is a great example. External scans show many false positives. But it knows about certain os releases and patch releases. Creating a read only use that the scan connects to and then runs a series of commands inside ontap querying it, it can find out more details.

for example an external scan may say that the OS is FreeBSD (some version) and that version has certain vulnerabilities like tcp. Turns out that module had already been patched but the overall FreeBSD string has not confusing the scanner

kryan · ‎2021-01-21

ONTAP 9.3-9.7 include OpenSSH 7.2p2. Those ONTAP versions would also include any configuration changes or back ported code required to address vulnerabilities reflected in the security advisories. ONTAP 9.8 upgraded the included OpenSSH to version 8.1p1.

TMACMD · ‎2021-01-21

And in case you need it:

A link to the Security Advisories:

Security Advisories | NetApp Product Security

OpenSSH 7.4 Not Installed

Portfolio Updates | NetApp ONAIR