Field Notice: FN - 64219 - VDS-CDE250-K9 IPMI Firmware V3.09 Requires Security Enhancements-IPMI FW 3.12 Available - BIOS/Firmware Upgrade Recommended

Notice

THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.

Revision History

Revision	Publish Date	Comments
1.0	19-May-17	Initial Release
10.0	18-Oct-17	Migration to new field notice system
10.1	14-Jan-19	Fixed Broken Image Links and Formatting

Products Affected

Affected Product ID	Comments
CDE250-HV-2WPL-K9=
CDE250-K9
CDE250-XR-2WPL-K9=

Defect Information

Defect ID	Headline
CSCvc18598	CDE250 IPMI FW older than v3.12 have a weak cypher issue that is fixed in the CDE250 IPMI v3.12
CSCve34374	CDE250 the i2C bus can hang because of contention on the i2C bus

Problem Description

This Field Notice addresses two issues on the Content Delivery Engine 250 (CDE250):

• Updates to the Intelligent Platform Management Interface (IPMI) firmware in order to remove weak ciphers from IPMI Secure Socket Shell (SSH) support.
• The current Super Doctor (SDT) utility might result in Inter-Integrated Circuit (I2C) Bus hang.

Background

Cipher is an algorithm used to perform encryption or decryption in the SSH protocol. The CDE250 IPMI firmware versions 3.09 and earlier have weak cipher. The CDE250 system utilizes IPMI in order to monitor and manage the health of the system. This function is implemented with embedded IPMI firmware that runs within the Baseboard Management Controller (BMC) that resides on the motherboard. The new security enhancement in IPMI version 3.12 improves the cipher.

The SDT utility versions 2.112 and earlier directly access the BMC and do not validate the I2C bus availability. This possibly causes contention issues which could result in I2C bus hang. SDT version 2.113 addresses this particular issue.

Problem Symptom

There is no error message for the weak cipher.

This symptom can be observed for the I2C hang issue:

Workaround/Solution

Cisco recommends that these steps be taken in order to update the IPMI for VDS-TV, VQE, and VDS-IS applications and the SDT utility for VDS-TV and VD-IS applications. This update needs to be done during a maintenance window.

Product ID	IPMI FW Version	Action
CDE250-K9	FW version = 3.12 or later (SDT v2.113 required)	Unit is good, no action required
CDE250-K9	FW version = 1.33 or 2.05 or 3.03, 3.06 or 3.09	Upgrade IPMI FW

 

1. Determine the IPMI FW version (see the How to Identify Affected Products section).
   Note: The new IPMI FW requires SDT version 2.113.
2. If the IPMI version is not 3.12, update the IPMI FW to version 3.12 with the IPMI dedicated Ethernet port and web interface or a DOS boot stick with the IPMIUP.BAT (yafukcs -full X8DAH312.ima).
3. Reboot the system.
4. Verify the IPMI FW is updated successfully.

For further details, refer to the IPMI Firmware v3.12 and SDT 2.113 Upgrade instructions.

For the VDS-IS application, patches have been developed in order to upgrade the SDT version 2.113 as it is required for the new IPMI FW.

VDS-IS Release	IPMI FW	HW platform	Impact	Action	Required Patch
3.x	3.12 and later	CDE250-K9	All customers that use version 3.x up to the latest 3.3.1b138 imaged	Apply the corresponding patch in VDS-IS to upgrade the SDT version to 2.113	IPMI_VDS-IS_3x_SDT-2.113_Patch
4.x	3.12 and later	CDE250-K9	All customers that use version 4.x up to the latest 4.3.2-b28 image	Apply corresponding patch in VDS-IS to upgrade the SDT version to 2.113	IPMI_VDS-IS_4x_SDT-2.113_Patch

 

Update the VDS-IS Application with the Script

1. Unzip the required IPMI_VDS-IS_3x_SDT-2.113_Patch.zip / IPMI_VDS-IS_4x_SDT-2.113_Patch.zip file.
2. Copy all the files to the CDE250. Make sure all the files are copied to the location "local/local1".
3. Use these commands in order to check and execute the script: script check ipmi_script.sh script execute ipmi_script.sh
4. Once the patch is executed properly, reload the box.

Refer to the Release Notes and IPMI Firmware downloads for further details:

• CDE250 IPMI Security Enhancement - CSCvc18598 Release Notes
• CDE250 I2C Bus Contention - CSCve34374 Release Notes
• IPMI firmware upgrade downloads:
  • IPMI FW v3.12 for VDS-TV Application: vdstv-ipmi312.zip
  • IPMI FW v3.12 for VQE Application: vdsvqe-ipmi312.zip
  • IPMI FW v3.12 for VDS-IS Application: vdsis-ipmi312.zip

How To Identify Affected Products

The hardware information can be obtained either with a CLI command or a physical inspection of the chassis. The CLI command as shown in this screenshot must be used in order to determine the IPMI FW version.

Command Line

CDE Product ID Information

Visual Inspection

In order to identify the affected chassis, check the Product ID (PID) located on the right front corner of the top of the chassis.

 

This label is located on top right front corner of the chassis.

For More Information

If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:

• Open a service request on Cisco.com
• By email
• By telephone

Receive Email Notification For New Field Notices

Cisco Notification Service—Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.