A new vulnerability in the OpenSSL implementation for SSL has been announced on March 17, 2004. An affected network device running an SSL server based on an affected OpenSSL implementation may be vulnerable to a Denial of Service (DoS) attack. There are workarounds available to mitigate the effects of this vulnerability on Cisco products in the workaround section of this advisory. Cisco is providing fixed software, and recommends that customers upgrade to it when it is available. This advisory will be posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20040317-openssl.
A new vulnerability in the OpenSSL implementation for SSL has been announced on March 17, 2004.
An affected network device running an SSL server based on an affected OpenSSL implementation may be vulnerable to a Denial of Service (DoS) attack. There are workarounds available to mitigate the effects of this vulnerability on Cisco products in the workaround section of this advisory. Cisco is providing fixed software, and recommends that customers upgrade to it when it is available.
This advisory will be posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20040317-openssl.
This section provides details on affected products.
The following products have their SSL implementation based on the OpenSSL code and are affected by this vulnerability.
The following products have their SSL implementation based on the OpenSSL code and are not affected by this vulnerability.
The following products, which implement SSL, are not affected by this vulnerability.
CatOS does not implement SSL and is not vulnerable.
No other Cisco products are currently known to be affected by these vulnerabilities.This vulnerability is still being actively investigated across Cisco products and status of some products has still not been determined.
Secure Sockets Layer (SSL), is a protocol used to encrypt the data transferred over a TCP session. SSL in Cisco products is mainly used by the HyperText Transfer Protocol Secure (HTTPS) web service for which the default TCP port is 443. The affected products, listed above, are only vulnerable if they have the HTTPS service enabled and the access to the service is not limited to trusted hosts or network management workstations. They are not vulnerable to transit traffic, only traffic that is destined to them may exploit this vulnerability.
To check if the HTTPS service is enabled one can do the following:
Testing by the OpenSSL development team has uncovered a null-pointer assignment in the do_change_cipher_spec() function. A remote attacker could perform a carefully crafted SSL/TLS handshake against a server that used the OpenSSL library in such a way as to cause OpenSSL to crash. This crash on many Cisco products would cause the device to reload. Repeated exploitation of this vulnerability would result in a Denial of Service (DoS) attack on the device.
Another flaw was also discovered in the SSL/TLS handshaking code when using Kerberos ciphersuites. A remote attacker could perform a carefully crafted SSL/TLS handshake against a server configured to use Kerberos ciphersuites in such a way as to cause OpenSSL to crash. None of the Cisco OpenSSL implementations are known to use Kerberos ciphersuites and are therefore not affected by this second vulnerability.
A third vulnerability described in the NISCC advisory is a bug in older versions of OpenSSL, versions before 0.9.6d, that can also lead to a Denial of Service attack. None of the Cisco OpenSSL implementations are known to be affected by this older OpenSSL issue.
More information on the OpenSSL vulnerability is available at http://www.openssl.org/news/secadv_20040317.txt .
The Internetworking Terms and Cisco Systems Acronyms online guides can be found at http://www.cisco.com/univercd/cc/td/doc/cisintwk/.
The Cisco PSIRT recommends that affected users upgrade to a fixed software version of code as soon as it is available.
When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center ("TAC") or your contracted maintenance provider for assistance.
Each row of the Cisco IOS software table (below) describes a release train and the platforms or products for which it is intended. If a given release train is vulnerable, then the earliest possible releases that contain the fix (the "First Fixed Release") and the anticipated date of availability for each are listed in the "Rebuild" and "Maintenance" columns. A device running a release in the given train that is earlier than the release in a specific column (less than the First Fixed Release) is known to be vulnerable. The release should be upgraded at least to the indicated release or a later version (greater than or equal to the First Fixed Release label).
For more information on the terms "Rebuild" and "Maintenance," consult the following URL:
http://www.cisco.com/warp/public/620/1.html
Release Train |
Fixed Releases |
Availability |
---|---|---|
12.2ZA |
12.2(14)ZA8 |
No software availability date has been determined yet. |
12.2SY |
12.2(14)SY4 |
March 25 |
12.1E |
12.1(13)E14 |
April 8 |
12.1.(19)E7 |
April 8 |
|
12.1(20)E3 |
April 26 |
|
12.1(22)E |
No software availability date has been determined
yet. |
The Cisco PSIRT is not aware of any malicious use of the vulnerability described in this advisory.
This vulnerability was reported to Cisco PSIRT by NISCC. NISCC has documented this vulnerability at http://www.uniras.gov.uk/vuls/2004/224012/index.htm.
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
Revision 1.6 |
2004-April-8 |
Updated CTR and MDS 9000 fixed release information. |
Revision 1.5 |
2004-April-1 |
Added details for CWCS. Updated CSS fixed release information. |
Revision 1.4 |
2004-March-26 |
Added details for CCM and GSS, CSS and SCA. |
Revision 1.3 |
2004-March-23 |
Change availability date for FWSM. Added details for ACNS. |
Revision 1.2 |
2004-March-19 |
Added the IOS 12.2ZA release train, CSS SCA, ACNS, CTR, GSS 4490 and the CSS 11500 series to the affected product list. Added more details on the PIX. |
Revision 1.1 |
2004-March-18 |
Added CCM, Okena Stormwatch as affected. Added SSL module for 6500/7600 as not affected. Elaborated on the IOS releases in the Affected section. |
Revision 1.0 |
2004-March-17 |
Initial release. |
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.