This advisory describes vulnerabilities that affect Cisco products and applications that are installed on Microsoft operating systems incorporating the use of the Server Message Block (SMB) file sharing protocol. It is based on the vulnerabilities in Microsoft's SMB protocol, not due to a defect of the Cisco product or application. Vulnerabilities were discovered that enable an attacker to perform a denial of service against the server and may allow execution of arbitrary code. These vulnerabilities were publicly announced by Microsoft in their Microsoft Security Bulletin MS02-045 . All Cisco products and applications that are using the Microsoft operating systems identified by Microsoft in their Microsoft Security Bulletin MS02-045 are considered vulnerable. This advisory is available at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20020918-smb-dos.
This advisory describes vulnerabilities that affect Cisco products and applications that are installed on Microsoft operating systems incorporating the use of the Server Message Block (SMB) file sharing protocol. It is based on the vulnerabilities in Microsoft's SMB protocol, not due to a defect of the Cisco product or application.
Vulnerabilities were discovered that enable an attacker to perform a
denial of service against the server and may allow execution of arbitrary code.
These vulnerabilities were publicly announced by Microsoft in their Microsoft
Security Bulletin
MS02-045
.
All Cisco products and applications that are using the Microsoft
operating systems identified by Microsoft in their Microsoft Security Bulletin
MS02-045
are considered vulnerable.
This advisory is available at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20020918-smb-dos.
This section provides details on affected products.
To determine if a product is vulnerable, review the list below. If the software versions or configuration information are provided, then only those combinations are vulnerable.
Other products in the list below may be installed on the affected Microsoft operating systems and should have the hotfix from Microsoft installed to remove the vulnerabilities. This list is not all inclusive, please refer to Microsoft's bulletin if you think you have an affected Microsoft platform.
No other Cisco products are currently known to be affected by these vulnerabilities.
The vulnerabilities have been described in more detail at
http://www.microsoft.com/technet/security/bulletin/MS02-045.asp
.
Microsoft documents several workarounds in their bulletin
MS02-045
.
To access the software center for software fixes, you must be a registered user and you must be logged in.
|
Version Affected |
Fixed Regular Release (available now) Fix carries forward into all later versions |
|---|---|
|
Version 3.0.x |
Install win-OS-Upgrade.2000-1-3spF.exe from our Software Center |
|
Version 3.1.x |
Install win-OS-Upgrade.2000-1-3spF.exe from our Software Center |
|
Version 3.2.x |
Install win-OS-Upgrade.2000-1-3spF.exe from our Software Center |
|
Version Affected |
Fixed Regular Release (available now) Fix carries forward into all later versions |
|---|---|
|
Version 1.x |
Follow instructions in the Field Notice Upgrade Program for SPE200 Then install win-OS-Upgrade.2000-1-3spF.exe from our Software Center |
|
Version 2.x |
Install win-OS-Upgrade.2000-1-3spF.exe from our Software Center |
Install the patch for
MS02-045
.
The vulnerabilities described here have been discussed publicly on mailing lists and via security advisories released by other sources. Exploit code for these vulnerabilities is publicly available via the Internet.
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
|
Revision 1.1 |
2002-September-20 |
Removed URT from 'fixed' list, reworded summary to more closely match the original Microsoft bulletin |
|
Revision 1.0 |
2002-September-18 |
Initial public release |
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.
Vulmon