On September 30, 2003, new vulnerabilities in the OpenSSL implementation for SSL were announced. This is referred to as the "first" vulnerability in this document. On November 4, 2003, another vulnerability in the OpenSSL implementation for SSL, version 0.9.6, was announced. This is referred to as the "second" vulnerability in this document. An affected network device running an SSL server based on an affected OpenSSL implementation may be vulnerable to a Denial of Service (DoS) attack when presented with a malformed certificate by a client. The network device may be vulnerable to this vulnerability even if it is configured to not authenticate certificates from the client. There are workarounds available to mitigate the effects of these vulnerabilities. This advisory will be posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20030930-ssl.
On September 30, 2003, new vulnerabilities in the OpenSSL implementation for SSL were announced. This is referred to as the "first" vulnerability in this document.
On November 4, 2003, another vulnerability in the OpenSSL implementation for SSL, version 0.9.6, was announced. This is referred to as the "second" vulnerability in this document.
An affected network device running an SSL server based on an affected OpenSSL implementation may be vulnerable to a Denial of Service (DoS) attack when presented with a malformed certificate by a client. The network device may be vulnerable to this vulnerability even if it is configured to not authenticate certificates from the client. There are workarounds available to mitigate the effects of these vulnerabilities.
This advisory will be posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20030930-ssl.
This section provides details on affected products.
The following products have their SSL implementation based on the OpenSSL code and may be affected by the first OpenSSL vulnerability.
Note: Only crypto images (56i and k2) are vulnerable for the Cisco 7100 and 7200 Series Routers.
Note: Only crypto images (k8, k9 and k91) are vulnerable for the Cisco Catalyst 6500 Series and Cisco 7600 Series Routers.
The following products have their SSL implementation based on the OpenSSL code and may be affected by the first and second OpenSSL vulnerabilities.
The following products, which implement SSL, are currently known to be not vulnerable to the OpenSSL vulnerabilities.
CatOS does not implement SSL and is not vulnerable. No other Cisco products are currently known to be affected by these vulnerabilities.
An affected network device running an SSL server based on the OpenSSL implementation may be vulnerable to a Denial of Service (DoS) attack when presented with a malformed certificate by a client. The network device is vulnerable to this vulnerability even if it is configured to not authenticate certificates from the client.
More information on the first set of OpenSSL vulnerabilities is available at http://www.openssl.org/news/secadv_20030930.txt . This is referred to as the "first" vulnerability in this document.
More information on the second OpenSSL vulnerability is available at http://www.openssl.org/news/secadv_20031104.txt . This is referred to as the "second" vulnerability in this document.
The Cisco PSIRT recommends that affected users upgrade to a fixed software version of code as soon as it is available.
Cisco SIP Proxy Server (SPS) - Disable SSL/TLS functionality. One can do this using the Provisioning GUI. Log in, then select Farm/Proxies from the Configuration options. Select Advanced, and then the SIP Server Core tab. Turn the Enable TLS directive to Off.
When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center ("TAC") or your contracted maintenance provider for assistance.
Train |
Fixed Releases |
CCO Availability |
---|---|---|
12.2S |
12.2(14)SY3 |
November 24, 2003 |
12.2(17a)SX1 |
October 30, 2003 |
|
12.1E |
12.1(20)E2 |
January 26, 2004 |
12.1(14)E7 |
October 13, 2003 |
The Cisco PSIRT is not aware of any malicious use of the vulnerabilities described in this advisory at this time.
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
Revision 2.2 |
2004-21-Jan |
Updated fixed release information and availability for multiple products. |
Revision 2.1 |
2003-07-Nov |
Clarified products that are known to be affected by the second OpenSSL vulnerability. Added CSS 11000 series (SCM only) as an affected product. Added software availability date for CSPM. |
Revision 2.0 |
2003-04-Nov |
Added information on second OpenSSL vulnerability. |
Revision 1.3 |
2003-13-Oct |
Added CSPM as affected. Updated SCA and NAM fixed software status. |
Revision 1.2 |
2003-02-Oct |
In the "Affected Products" and "Details" sections, added CSA and CTR as being affected. In the "Software Versions and Fixes" section, updated information about affected IOS images. |
Revision 1.1 |
2003-30-Sept |
Updated information about affected IOS images. |
Revision 1.0 |
2003-30-Sept |
Initial public release. |
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.