OpenSSH 7.4 version used in AOS,AHV.This is pentest issue for us. | Nutanix Community
Skip to main content

OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017 version is using in the latest LTS AOS and AHV (AOS 6.5.6.6 , AHV el7.nutanix.20220304.511 )
Please help us to resolve this issue.
It is recommended to use the newer version of the Paramiko Python sshd 2.4.2 module. It is recommended to disable port 2222 used by Paramiko from within the system if it is not in use.
and another issue:
The versions of ssh(OpenSSH) software used in the prompt are between 7.4-9.2, and there is a username enumeration gap corresponding to these versions. Various modified exploits of this vulnerability can affect up to ssh version 9.1.

Hello,

Yes I don’t disagree a newer version is needed.

AOS 6.8.x uses openssh-8.0.x and openssl 1.1.1, still a better version but not new enough to satisfy your need.

I would strongly recommend you segment access to the Nutanix network generally, nothing should get onto that network except privileged access workstations.