Netonix Forums

Hi,

We are are using multiple WS-26-400-IDC switches (firmware version 1.5.6) to monitor some PoE cameras at some of our special buildings and we are getting notified by our vulnerability management software (Tenable) that our version of Dropbear SSL Server is no longer supported and is at risk of multiple vulnerabilities with a VPR rating of 6.7/10 (we are running version 0.53 and the supported version is 2016.74). Is there going to be a firmware update that will fix these vulnerabilities in the future?

This is being explored presently.

For anyone interested, we have now upgraded to Dropbear 2020.81 on v.1.5.9rcX, and you can download it here

Hi Stephen, thanks for the update regarding 1.5.9 RC1 but is there a specific timeframe for when this version will go into the stable channel as I am hesitant to upgrade our switches to an RC build? Also is the RC build the preferred option though for future updates?

Hello peter.fowler it will eventually be integrated into a 1.5.9 release, if you wish to wait to update until then that is OK but as a rule typically RC release's from us are fine in production unless otherwise specified in the release notes.

Thanks for the update and sorry for not replying sooner but do you have an approximate ETA for these features as part of stabilizing 1.5.9 to production. My manager and our security manager are keen to know what the next steps will be including a roadmap for this (FYI, all our WS-26-400-IDC switches are now on the 1.5.8 production release build)

I can confirm that updating to version 1.5.11 (which is now in production) fixes the Dropbear version vulnerability in Tenable.io (Nessus)

peter.fowler wrote:I can confirm that updating to version 1.5.11 (which is now in production) fixes the Dropbear version vulnerability in Tenable.io (Nessus)

Yes, when Eric updated openssl to a version that supported TLS 1.2 that would effect SSH / EMAIL / HTTPS as I think they all share that package.