Thread-topic: Multiple Vulnerabilitiesin Cisco IOS While Processing SSL Packets
> -----Original Message-----
> From: full-disclosure-bounces@xxxxxxxxxxxxxxxxx
> [mailto:full-disclosure-bounces@xxxxxxxxxxxxxxxxx] On Behalf
> Of Cisco Systems Product Security Incident Response Team
> Sent: Tuesday, May 22, 2007 7:07 PM
> To: full-disclosure@xxxxxxxxxxxxxxxxx
> Cc: psirt@xxxxxxxxx
> Subject: [Full-disclosure] Cisco Security Advisory: Multiple
> Vulnerabilitiesin Cisco IOS While Processing SSL Packets
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> Cisco Security Advisory:
> Multiple Vulnerabilities in Cisco IOS While Processing SSL Packets
>
> Advisory ID: cisco-sa-20070522-SSL
>
>
>
> Revision 1.0
>
> For Public Release 2007 May 22 1300 UTC (GMT)
>
> -
> --------------------------------------------------------------
> -----------------
>
> Summary
> =======
>
> Cisco IOS device may crash while processing malformed Secure
> Sockets Layer
> (SSL) packets. In order to trigger these vulnerabilities, a
> malicious client
> must send malformed packets during the SSL protocol exchange with the
> vulnerable device.
>
> Successful repeated exploitation of any of these
> vulnerabilities may lead to a
> sustained Denial-of-Service (DoS); however, vulnerabilities
> are not known to
> compromise either the confidentiality or integrity of the
> data or the device.
> These vulnerabilities are not believed to allow an attacker
> will not be able to
> decrypt any previusly encrypted information.
>
> Cisco IOS is affected by the following vulnerabilities:
>
> * Processing ClientHello messages, documented as Cisco bug
> ID CSCsb12598
> * Processing ChangeCipherSpec messages, documented as Cisco
> bug ID CSCsb40304
> * Processing Finished messages, documented as Cisco bug ID
> CSCsd92405
>
> Cisco has made free software available to address these
> vulnerabilities for
> affected customers. There are workarounds available to
> mitigate the effects of
> these vulnerabilities.
>
> This advisory is posted at
>
>
> Note: Another related advisory has been posted with this
> advisory. This
> additional advisory also describes a vulnerability related to
> cryptography that
> affects Cisco IOS. This related advisory is available at the
> following link:
>
>
> A combined software table for Cisco IOS is available to aid
> customers in
> choosing a software releases that fixes all security
> vulnerabilities published
> as of May 22, 2007. This software table is available at the
> following link:
>
> dle.shtml.
>
> Affected Products
> =================
>
> Vulnerable Products
> +------------------
>
> These vulnerabilities affect all Cisco devices running Cisco
> IOS software
> configured to use the SSL protocol. The following application
> layer protocols
> in Cisco IOS use SSL:
>
> * Hyper Text Transfer Protocol over SSL (HTTPS). This is
> the most commonly
> used protocol that employs SSL.
> * Cisco Network Security (CNS) Agent with SSL support
> * Firewall Support of HTTPS Authentication Proxy
> * Cisco IOS Clientless SSL VPN (WebVPN) support
>
> Other protocols that use encryption to provide security but
> do not use SSL are
> not affected by these vulnerabilities. Specifically, IPSec
> and Secure Shell
> (SSH) are not affected.
>
> To determine the software running on a Cisco IOS product, log
> in to the device
> and issue the show version command to display the system
> banner. Cisco IOS
> software will identify itself as "Internetwork Operating
> System Software" or
> simply "IOS." On the next line of output, the image name will
> be displayed
> between parentheses, followed by "Version" and the Cisco IOS
> release name.
> Other Cisco devices will not have the show version command,
> or will give
> different output.
>
> Only Cisco IOS images that contain the Crypto Feature Set are
> vulnerable.
> Customers who are not running an IOS image with crypto
> support are not exposed
> to this vulnerability.
>
> Cisco IOS feature set naming indicates that IOS images with
> crypto support have
> 'K8' or 'K9' in the feature designator field.
>
> The following example shows output from a device running an
> IOS image with
> crypto support:
>
> Router>show version
> Cisco IOS Software, 7200 Software (C7200-IK9S-M), Version
> 12.3(14)T1, RELEASE SOFTWARE (fc1)
> Technical Support:
> Copyright (c) 1986-2005 by Cisco Systems, Inc.
> Compiled Thu 31-Mar-05 08:04 by yiyan
>
>
> Since the feature set designator (IK9S) contains 'K9', it can
> be determine that
> this feature set contains crypto support.
>
> Additional information about Cisco IOS release naming is
> available at the
> following link:
>
> s_white_paper09186a008018305e.shtml.
>
> The following text describes how to recognize if any of the
> affected services
> are enabled on a device.
>
> Hyper Text Transfer Protocol Over SSL (HTTPS)
> +--------------------------------------------
>
> To determine if a device has HTTPS enabled, enter the command
> "show run | include ip http". The following example shows output from
> of a device that has HTTPS enabled:
>
> Router#show run | include secure-server
> ip http secure-server
>
>
> The following example shows output from a device that does
> not have HTTPS
> enabled:
>
> Router#show run | include secure-server
> no ip http secure-server
>
>
> CNS Agent With SSL Support
> +-------------------------
>
> CNS Agent with SSL support can only be enabled on devices
> running a Cisco IOS
> image that supports encryption. The following example shows
> output from a
> device that has CNS Agent configured to support SSL:
>
> Router#show run | include cns config initial
> cns config initial 10.1.1.1 encrypt no-persist
>
>
> If the output does not contain the encrypt keyword the CNS
> Agent is not
> vulnerable.
>
> Firewall Support of HTTPS Authentication Proxy
> +---------------------------------------------
>
> To determine if a device has authentication proxy for HTTPS
> enabled, enter the
> command "show ip auth-proxy configuration". The following
> example shows output
> from a device that has authentication proxy for HTTPS enabled:
>
> Router#show ip auth-proxy configuration
> Authentication cache time is 60 minutes
> Authentication Proxy Rule Configuration
> Auth-proxy name my_pxy
> http list not specified auth-cache-time 1 minutes
>
>
> If the command does not produce any output, authentication
> proxy for HTTPS is
> not enabled.
>
> Cisco IOS Clientless SSL VPN (WebVPN) Enhanced Support
> +-----------------------------------------------------
>
> To determine if a device has Cisco IOS Clientless SSL VPN
> (WebVPN) enhanced
> support enabled, enter the command "show webvpn gateway". The
> following
> example shows output from a device that has Cisco IOS
> Clientless SSL VPN
> (WebVPN) enhanced support enabled:
>
> Router#show webvpn gateway
>
> Gateway Name Admin Operation
> ------------ ----- ---------
> web-server up up
>
>
> If the command does not produces any output, Cisco IOS
> Clientless SSL VPN
> (WebVPN) enhanced support is not enabled.
>
> Products Confirmed Not Vulnerable
> +--------------------------------
>
> No other Cisco products are currently known to be affected by these
> vulnerabilities.
>
> Details
> =======
>
> SSL is a protocol designed to provide a secure connection
> between two hosts.
> The SSL Protocol is described in RFC4346. While not necessary for the
> understanding of this advisory, users are encouraged to
> consult the section
> "7.3 handshake Protocol Overview" in RFC4346 as well as
> Figure 1 in the same
> section. The text of the RFC4346 is available at the following link:
> .
>
> An attacker can trigger these vulnerabilities after establishing a TCP
> connection, but prior to the exchange of authentication
> credentials, such as
> username/password or certificate. The requirement of the
> complete TCP 3-way
> handshake reduces the probability that these vulnerabilities
> will be exploited
> through the use of spoofed IP addresses.
>
> An attacker intercepting traffic between two affected devices
> cannot exploit
> these vulnerabilities if the SSL session is already
> established because SSL
> protects against such injection. However, such an attack
> could abnormally
> terminate an existing session, via a TCP RST, for example.
> The attacker could
> then wait for a new SSL session to be established and inject
> malicious packets
> at the beginning of the new SSL session, thus triggering the
> vulnerability.
>
> Processing ClientHello Messages May Cause Crash
> +----------------------------------------------
>
> A vulnerable device may crash when processing a malformed
> ClientHello message.
> The ClientHello message is the first to be sent when a client
> connects to a
> server. It can also be sent after the SSL session is
> established; in such
> cases, the message is sent within the encrypted tunnel.
>
> This vulnerability is documented as Cisco bug ID CSCsb12598
>
> Processing ChangeCipherSpec Messages May Cause Crash
> +---------------------------------------------------
>
> A vulnerable device may crash when processing a malformed
> ChangeCipherSpec
> message. The ChangeCipherSpec message can only be sent after
> the ClientHello
> and ServerHello messages are exchanged. In most cases, the
> ChangeCipherSpec
> message is sent within the encrypted tunnel.
>
> This vulnerability is documented as Cisco bug ID CSCsb40304
>
> Processing Finished Messages May Cause Crash
> +-------------------------------------------
>
> A vulnerable device may crash when processing a malformed
> Finished message.
> This message can only be sent as a part of a SSL handshake,
> but not as the
> first message. The Finished message is always sent within the
> encrypted tunnel.
>
> This vulnerability is documented as Cisco bug ID CSCsd92405
>
> Vulnerability Scoring Details
> +----------------------------
>
> Cisco is providing scores for the vulnerabilities in this
> advisory based on the
> Common Vulnerability Scoring System (CVSS).
>
> Cisco will provide a base and temporal score. Customers can
> then compute
> environmental scores to assist in determining the impact of
> the vulnerability
> in individual networks.
>
> Cisco PSIRT will set the bias in all cases to normal.
> Customers are encouraged
> to apply the bias parameter when determining the
> environmental impact of a
> particular vulnerability.
>
> CVSS is a standards based scoring method that conveys
> vulnerability severity
> and helps determine urgency and priority of response.
>
> Cisco has provided an FAQ to answer additional questions
> regarding CVSS at
> .
>
> Cisco has also provided a CVSS calculator to help compute
> the environmental impact for individual networks at
> .
>
> Cisco Bug IDs:
>
> CSCsb12598 - Processing ClientHello messages
>
> CVSS Base Score: 3.3
> Access Vector: Remote
> Access Complexity: Low
> Authentication: Not Required
> Confidentiality Impact: None
> Integrity Impact: None
> Availability Impact: Complete
> Impact Bias: Normal
>
> CVSS Temporal Score: 2.7
> Exploitability: Functional
> Remediation Level: Official Fix
> Report Confidence: Confirmed
>
> CSCsb40304 - Processing ChangeCipherSpec messages
>
> CVSS Base Score: 3.3
> Access Vector: Remote
> Access Complexity: Low
> Authentication: Not Required
> Confidentiality Impact: None
> Integrity Impact: None
> Availability Impact: Complete
> Impact Bias: Normal
>
> CVSS Temporal Score: 2.7
> Exploitability: Functional
> Remediation Level: Official Fix
> Report Confidence: Confirmed
>
>
> CSCsd92405 - Processing Finished messages
>
> CVSS Base Score: 3.3
> Access Vector: Remote
> Access Complexity: Low
> Authentication: Not Required
> Confidentiality Impact: None
> Integrity Impact: None
> Availability Impact: Complete
> Impact Bias: Normal
>
> CVSS Temporal Score: 2.7
> Exploitability: Functional
> Remediation Level: Official Fix
> Report Confidence: Confirmed
>
>
> Impact
> ======
>
> Successful exploitation of any vulnerability listed in this
> advisory may result
> in the crash of the affected device. Repeated exploitation
> can result in a
> sustained DoS condition.
>
> Software Versions and Fixes
> ===========================
>
> When considering software upgrades, also consult
>
> and any subsequent advisories to determine exposure and a
> complete upgrade
> solution.
>
> In all cases, customers should exercise caution to be certain
> the devices to be
> upgraded contain sufficient memory and that current hardware
> and software
> configurations will continue to be supported properly by the
> new release. If
> the information is not clear, contact the Cisco Technical
> Assistance Center
> ("TAC") or your contracted maintenance provider for assistance.
>
> Each row of the Cisco IOS software table (below) describes a
> release train. If
> a given release train is vulnerable, then the earliest
> possible releases that
> contain the fix (the "First Fixed Release") and the
> anticipated date of
> availability for each are listed in the "Rebuild" and
> "Maintenance" columns. A
> device running a release in the given train that is earlier
> than the release in
> a specific column (less than the First Fixed Release) is known to be
> vulnerable. The release should be upgraded at least to the
> indicated release or
> a later version (greater than or equal to the First Fixed
> Release label).
>
> For more information on the terms "Rebuild" and
> "Maintenance," consult the
> following URL:
>
> s_white_paper09186a008018305e.shtml
>
> +-------------------------------------------------------------
> --------+
> | Major Release | Availability of Repaired
> Releases |
> |-------------------------+-----------------------------------
> --------|
> | Affected 12.0-Based | Rebuild |
> Maintenance |
> | Release | |
> |
> |-------------------------+-----------------------------------
> --------|
> | 12.0T | Vulnerable; migrate to 12.2(46)
> or later |
> |-------------------------+-----------------------------------
> --------|
> | 12.0WC | 12.0(5)WC17 |
> |
> |-------------------------+-----------------------------------
> --------|
> | 12.0XE | Vulnerable; migrate to 12.1(26)E8
> or |
> | | later
> |
> |-------------------------+-----------------------------------
> --------|
> | 12.0XH | Vulnerable; migrate to 12.2(46)
> or later |
> |-------------------------+-----------------------------------
> --------|
> | 12.0XI | Vulnerable; migrate to 12.2(46)
> or later |
> |-------------------------+-----------------------------------
> --------|
> | 12.0XK | Vulnerable; migrate to 12.2(46)
> or later |
> |-------------------------+-----------------------------------
> --------|
> | 12.0XL | Vulnerable; migrate to 12.2(46)
> or later |
> |-------------------------+-----------------------------------
> --------|
> | 12.0XN | Vulnerable; migrate to 12.2(46)
> or later |
> |-------------------------+-----------------------------------
> --------|
> | 12.0XQ | Vulnerable; migrate to 12.2(46)
> or later |
> |-------------------------+-----------------------------------
> --------|
> | 12.0XR | Vulnerable; migrate to 12.2(46)
> or later |
> |-------------------------+-----------------------------------
> --------|
> | 12.0XV | Vulnerable; migrate to 12.2(46)
> or later |
> |-------------------------+-----------------------------------
> --------|
> | Affected 12.1-Based | Rebuild |
> Maintenance |
> | Release | |
> |
> |-------------------------+-----------------------------------
> --------|
> | 12.1 | Vulnerable; migrate to 12.2(46)
> or later |
> |-------------------------+-----------------------------------
> --------|
> | 12.1AY | Vulnerable; migrate to
> 12.1(22)EA9 or |
> | | later
> |
> |-------------------------+-----------------------------------
> --------|
> | 12.1CX | Vulnerable; migrate to 12.2(46)
> or later |
> |-------------------------+-----------------------------------
> --------|
> | | 12.1(26)E8 |
> |
> | 12.1E
> |-----------------------------+-------------|
> | | 12.1(27b)E2; available |
> |
> | | 25-June-07 |
> |
> |-------------------------+-----------------------------+-----
> --------|
> | 12.1EA | 12.1(22)EA9 |
> |
> |-------------------------+-----------------------------+-----
> --------|
> | 12.1EB | 12.1(26)EB2; available |
> |
> | | 30-July-07 |
> |
> |-------------------------+-----------------------------------
> --------|
> | 12.1EC | Vulnerable; migrate to 12.3(21)BC
> or |
> | | later
> |
> |-------------------------+-----------------------------------
> --------|
> | 12.1EW | Vulnerable; migrate to
> 12.2(25)EWA9 or |
> | | later
> |
> |-------------------------+-----------------------------------
> --------|
> | 12.1EX | Vulnerable; migrate to 12.1(26)E8
> or |
> | | later
> |
> |-------------------------+-----------------------------------
> --------|
> | 12.1EY | Vulnerable; migrate to 12.1(26)E8
> or |
> | | later
> |
> |-------------------------+-----------------------------------
> --------|
> | 12.1T | Vulnerable; migrate to 12.2(46)
> or later |
> |-------------------------+-----------------------------------
> --------|
> | 12.1XC | Vulnerable; migrate to 12.2(46)
> or later |
> |-------------------------+-----------------------------------
> --------|
> | 12.1XD | Vulnerable; migrate to 12.2(46)
> or later |
> |-------------------------+-----------------------------------
> --------|
> | 12.1XF | Vulnerable; migrate 12.3(22) or
> later |
> |-------------------------+-----------------------------------
> --------|
> | 12.1XG | Vulnerable; migrate 12.3(22) or
> later |
> |-------------------------+-----------------------------------
> --------|
> | 12.1XH | Vulnerable; migrate to 12.2(46)
> or later |
> |-------------------------+-----------------------------------
> --------|
> | 12.1XI | Vulnerable; migrate to 12.2(46)
> or later |
> |-------------------------+-----------------------------------
> --------|
> | 12.1XJ | Vulnerable; migrate to 12.3(22)
> or later |
> |-------------------------+-----------------------------------
> --------|
> | 12.1XL | 12.1(3a)XL2 |
> |
> |-------------------------+-----------------------------------
> --------|
> | 12.1XM | Vulnerable; migrate to 12.3(22)
> or later |
> |-------------------------+-----------------------------------
> --------|
> | 12.1XP | Vulnerable; migrate to 12.3(22)
> or later |
> |-------------------------+-----------------------------------
> --------|
> | 12.1XQ | Vulnerable; migrate to 12.3(22)
> or later |
> |-------------------------+-----------------------------------
> --------|
> | 12.1XT | Vulnerable; migrate to12.3(22) or
> later |
> |-------------------------+-----------------------------------
> --------|
> | 12.1XU | 12.1(5)XU2 |
> |
> |-------------------------+-----------------------------------
> --------|
> | 12.1YB | Vulnerable; migrate to12.3(22) or
> later |
> |-------------------------+-----------------------------------
> --------|
> | 12.1YC | Vulnerable; migrate to 12.3(22)
> or later |
> |-------------------------+-----------------------------------
> --------|
> | 12.1YD | Vulnerable; migrate to12.3(22) or
> later |
> |-------------------------+-----------------------------------
> --------|
> | 12.1YE | Vulnerable; migrate to 12.3(22)
> or later |
> |-------------------------+-----------------------------------
> --------|
> | 12.1YF | Vulnerable; migrate to 12.3(22)
> or later |
> |-------------------------+-----------------------------------
> --------|
> | 12.1YI | Vulnerable; migrate to12.3(22) or
> later |
> |-------------------------+-----------------------------------
> --------|
> | Affected 12.2-Based | Rebuild |
> Maintenance |
> | Release | |
> |
> |-------------------------+-----------------------------+-----
> --------|
> | 12.2 | |
> 12.2(46) |
> |-------------------------+-----------------------------------
> --------|
> | 12.2B | Vulnerable; migrate to 12.4(10)
> or later |
> |-------------------------+-----------------------------------
> --------|
> | 12.2BC | Vulnerable; migrate to
> 12.3(17b)BC5 or |
> | | later
> |
> |-------------------------+-----------------------------------
> --------|
> | 12.2BW | Vulnerable; migrate 12.3(22) or
> later |
> |-------------------------+-----------------------------------
> --------|
> | 12.2BY | Vulnerable; migrate to 12.4(10)
> or later |
> |-------------------------+-----------------------------------
> --------|
> | 12.2BZ | Vulnerable; contact TAC
> |
> |-------------------------+-----------------------------------
> --------|
> | 12.2CX | Vulnerable; migrate to 12.3(21)BC
> or |
> | | later
> |
> |-------------------------+-----------------------------------
> --------|
> | 12.2CY | Vulnerable; migrate to 12.3(21)BC
> or |
> | | later
> |
> |-------------------------+-----------------------------------
> --------|
> | 12.2CZ | Vulnerable; contact TAC
> |
> |-------------------------+-----------------------------------
> --------|
> | 12.2DD | Vulnerable; migrate to 12.4(10)
> or later |
> |-------------------------+-----------------------------------
> --------|
> | 12.2EW | Vulnerable; contact TAC
> |
> |-------------------------+-----------------------------------
> --------|
> | 12.2EWA | Vulnerable; contact TAC
> |
> |-------------------------+-----------------------------------
> --------|
> | 12.2EX | Vulnerable; migrate to
> 12.2(25)SEE3 or |
> | | later
> |
> |-------------------------+-----------------------------------
> --------|
> | 12.2EY | Vulnerable; migrate to 12.2(35)SE
> or |
> | | later
> |
> |-------------------------+-----------------------------------
> --------|
> | 12.2EZ | Vulnerable; migrate to
> 12.2(25)SEE3 or |
> | | later
> |
> |-------------------------+-----------------------------------
> --------|
> | 12.2FX | Vulnerable; migrate to
> 12.2(25)SEE3 or |
> | | later
> |
> |-------------------------+-----------------------------------
> --------|
> | 12.2FY | Vulnerable; migrate to
> 12.2(25)SEG2 or |
> | | later
> |
> |-------------------------+-----------------------------------
> --------|
> | 12.2FZ | Vulnerable; migrate to 12.2(35)SE
> or |
> | | later
> |
> |-------------------------+-----------------------------------
> --------|
> | 12.2IXA | Vulnerable; contact TAC
> |
> |-------------------------+-----------------------------------
> --------|
> | 12.2IXB | Vulnerable; contact TAC
> |
> |-------------------------+-----------------------------------
> --------|
> | 12.2JA | Vulnerable; migrate to 12.3(11)JA
> or |
> | | later
> |
> |-------------------------+-----------------------------------
> --------|
> | 12.2JK | Vulnerable; migrate to 12.4(4)T
> or later |
> |-------------------------+-----------------------------------
> --------|
> | 12.2S | Vulnerable; migrate to
> 12.2(31)SB2 or |
> | | later
> |
> |-------------------------+-----------------------------------
> --------|
> | 12.2SB | 12.2(31)SB2 |
> |
> |-------------------------+-----------------------------------
> --------|
> | 12.2SBC | Vulnerable; migrate to
> 12.2(31)SB2 or |
> | | later
> |
> |-------------------------+-----------------------------------
> --------|
> | 12.2SE | |
> 12.2(35)SE |
> |-------------------------+-----------------------------------
> --------|
> | 12.2SEA | Vulnerable; migrate to
> 12.2(25)SEE3 or |
> | | later
> |
> |-------------------------+-----------------------------------
> --------|
> | 12.2SEB | Vulnerable; migrate to
> 12.2(25)SEE3 or |
> | | later
> |
> |-------------------------+-----------------------------------
> --------|
> | 12.2SEC | Vulnerable; migrate to
> 12.2(25)SEE3 or |
> | | later
> |
> |-------------------------+-----------------------------------
> --------|
> | 12.2SED | Vulnerable; migrate to
> 12.2(25)SEE3 or |
> | | later
> |
> |-------------------------+-----------------------------------
> --------|
> | 12.2SEE | 12.2(25)SEE3 |
> |
> |-------------------------+-----------------------------------
> --------|
> | 12.2SEF | Vulnerable; migrate to 12.2(35)SE
> or |
> | | later
> |
> |-------------------------+-----------------------------------
> --------|
> | 12.2SEG | 12.2(25)SEG2 |
> |
> |-------------------------+-----------------------------------
> --------|
> | 12.2SG | 12.2(37)SG
> |
> |-------------------------+-----------------------------------
> --------|
> | 12.2SGA | 12.2(31)SGA1 |
> |
> |-------------------------+-----------------------------+-----
> --------|
> | 12.2SRA | 12.2(33)SRA2 |
> |
> |-------------------------+-----------------------------------
> --------|
> | 12.2SU | Vulnerable; migrate to 12.4(10)
> or later |
> |-------------------------+-----------------------------------
> --------|
> | | 12.2(28)SV2 |
> |
> | 12.2SV
> |-----------------------------+-------------|
> | | 12.2(29)SV3 |
> |
> |-------------------------+-----------------------------+-----
> --------|
> | 12.2SW | 12.2(25)SW8 |
> |
> |-------------------------+-----------------------------------
> --------|
> | 12.2SX | Vulnerable; migrate to
> 12.2(18)SXE6b or |
> | | later
> |
> |-------------------------+-----------------------------------
> --------|
> | 12.2SXA | Vulnerable; migrate to
> 12.2(18)SXE6b or |
> | | later
> |
> |-------------------------+-----------------------------------
> --------|
> | 12.2SXB | Vulnerable; migrate to
> 12.2(18)SXE6b or |
> | | later
> |
> |-------------------------+-----------------------------------
> --------|
> | 12.2SXD | Vulnerable; migrate to
> 12.2(18)SXE6b |
> |-------------------------+-----------------------------------
> --------|
> | 12.2SXE | 12.2(18)SXE6b |
> |
> |-------------------------+-----------------------------+-----
> --------|
> | 12.2SXF | 12.2(18)SXF |
> |
> |-------------------------+-----------------------------------
> --------|
> | 12.2SY | Vulnerable; migrate to
> 12.2(18)SXE6b or |
> | | later
> |
> |-------------------------+-----------------------------------
> --------|
> | 12.2T | Vulnerable; migrate 12.3(22) or
> later |
> |-------------------------+-----------------------------------
> --------|
> | 12.2TPC | 12.2(8)TPC10b |
> |
> |-------------------------+-----------------------------------
> --------|
> | 12.2XA | Vulnerable; migrate to 12.3(22)
> or later |
> |-------------------------+-----------------------------------
> --------|
> | 12.2XB | Vulnerable; migrate to 12.3(22)
> or later |
> |-------------------------+-----------------------------------
> --------|
> | 12.2XD | Vulnerable; migrate to 12.3(22)
> or later |
> |-------------------------+-----------------------------------
> --------|
> | 12.2XE | Vulnerable; migrate to 12.3(22)
> or later |
> |-------------------------+-----------------------------------
> --------|
> | 12.2XF | Vulnerable; migrate to 12.3(21)BC
> or |
> | | later
> |
> |-------------------------+-----------------------------------
> --------|
> | 12.2XG | Vulnerable; migrate to 12.3(22)
> or later |
> |-------------------------+-----------------------------------
> --------|
> | 12.2XH | Vulnerable; migrate to 12.3(22)
> or later |
> |-------------------------+-----------------------------------
> --------|
> | 12.2XI | Vulnerable; migrate to 12.3(22)
> or later |
> |-------------------------+-----------------------------------
> --------|
> | 12.2XJ | Vulnerable; migrate to 12.3(22)
> or later |
> |-------------------------+-----------------------------------
> --------|
> | 12.2XK | Vulnerable; migrate to 12.3(22)
> or later |
> |-------------------------+-----------------------------------
> --------|
> | 12.2XL | Vulnerable; migrate to 12.3(22)
> or later |
> |-------------------------+-----------------------------------
> --------|
> | 12.2XM | Vulnerable; migrate to 12.3(22)
> or later |
> |-------------------------+-----------------------------------
> --------|
> | 12.2XN | Vulnerable; migrate to 12.3(22)
> or later |
> |-------------------------+-----------------------------------
> --------|
> | 12.2XQ | Vulnerable; migrate to 12.3(22)
> or later |
> |-------------------------+-----------------------------------
> --------|
> | 12.2XR | Vulnerable; migrate to 12.3(22)
> or later |
> |-------------------------+-----------------------------------
> --------|
> | 12.2XS | Vulnerable; migrate to 12.3(22)
> or later |
> |-------------------------+-----------------------------------
> --------|
> | 12.2XT | Vulnerable; migrate to 12.3(22)
> or later |
> |-------------------------+-----------------------------------
> --------|
> | 12.2XU | Vulnerable; migrate to 12.3(22)
> or later |
> |-------------------------+-----------------------------------
> --------|
> | 12.2XV | Vulnerable; migrate to 12.3(22)
> or later |
> |-------------------------+-----------------------------------
> --------|
> | 12.2XW | Vulnerable; migrate to 12.3(22)
> or later |
> |-------------------------+-----------------------------------
> --------|
> | 12.2YA | Vulnerable; migrate to 12.3(22)
> or later |
> |-------------------------+-----------------------------------
> --------|
> | 12.2YB | Vulnerable; migrate to 12.3(22)
> or later |
> |-------------------------+-----------------------------------
> --------|
> | 12.2YC | Vulnerable; migrate to 12.3(22)
> or later |
> |-------------------------+-----------------------------------
> --------|
> | 12.2YD | Vulnerable; migrate to 12.4(10)
> or later |
> |-------------------------+-----------------------------------
> --------|
> | 12.2YE | Vulnerable; migrate to
> 12.2(31)SB2 or |
> | | later
> |
> |-------------------------+-----------------------------------
> --------|
> | 12.2YF | Vulnerable; migrate to 12.3(22)
> or later |
> |-------------------------+-----------------------------------
> --------|
> | 12.2YJ | Vulnerable; migrate to 12.3(22)
> or later |
> |-------------------------+-----------------------------------
> --------|
> | 12.2YL | Vulnerable; migrate to 12.4(10)
> or later |
> |-------------------------+-----------------------------------
> --------|
> | 12.2YM | Vulnerable; migrate to 12.4(10)
> or later |
> |-------------------------+-----------------------------------
> --------|
> | 12.2YN | Vulnerable; migrate to 12.4(10)
> or later |
> |-------------------------+-----------------------------------
> --------|
> | 12.2YQ | Vulnerable; migrate to 12.4(10)
> or later |
> |-------------------------+-----------------------------------
> --------|
> | 12.2YR | Vulnerable; migrate to 12.4(10)
> or later |
> |-------------------------+-----------------------------------
> --------|
> | 12.2YU | Vulnerable; migrate to 12.4(10)
> or later |
> |-------------------------+-----------------------------------
> --------|
> | 12.2YV | Vulnerable; migrate to 12.4(10)
> or later |
> |-------------------------+-----------------------------------
> --------|
> | 12.2YW | Vulnerable; migrate to 12.4(10)
> or later |
> |-------------------------+-----------------------------------
> --------|
> | 12.2YX | Vulnerable; migrate to 12.4(10)
> or later |
> |-------------------------+-----------------------------------
> --------|
> | 12.2YY | Vulnerable; migrate to 12.4(10)
> or later |
> |-------------------------+-----------------------------------
> --------|
> | 12.2YZ | Vulnerable; contact TAC
> |
> |-------------------------+-----------------------------------
> --------|
> | 12.2ZA | Vulnerable; migrate to
> 12.2(18)SXE6b or |
> | | later
> |
> |-------------------------+-----------------------------------
> --------|
> | 12.2ZB | Vulnerable; migrate to 12.4(10)
> or later |
> |-------------------------+-----------------------------------
> --------|
> | 12.2ZD | Vulnerable; contact TAC
> |
> |-------------------------+-----------------------------------
> --------|
> | 12.2ZE | Vulnerable; migrate to 12.3(22)
> or later |
> |-------------------------+-----------------------------------
> --------|
> | 12.2ZF | Vulnerable; migrate to 12.4(10)
> or later |
> |-------------------------+-----------------------------------
> --------|
> | 12.2ZH | Vulnerable; contact TAC
> |
> |-------------------------+-----------------------------------
> --------|
> | 12.2ZJ | Vulnerable; migrate to 12.4(10)
> or later |
> |-------------------------+-----------------------------------
> --------|
> | 12.2ZL | Vulnerable; contact TAC
> |
> |-------------------------+-----------------------------------
> --------|
> | 12.2ZN | Vulnerable; migrate to 12.4(10)
> or later |
> |-------------------------+-----------------------------------
> --------|
> | 12.2ZU | Vulnerable; contact TAC
> |
> |-------------------------+-----------------------------------
> --------|
> | 12.2ZV | Vulnerable; contact TAC
> |
> |-------------------------+-----------------------------------
> --------|
> | 12.2ZW | Vulnerable; contact TAC
> |
> |-------------------------+-----------------------------------
> --------|
> | 12.2ZX | Vulnerable; contact TAC
> |
> |-------------------------+-----------------------------------
> --------|
> | Affected 12.3-Based | Rebuild |
> Maintenance |
> | Release | |
> |
> |-------------------------+-----------------------------+-----
> --------|
> | 12.3 | |
> 12.3(22) |
> |-------------------------+-----------------------------------
> --------|
> | 12.3B | Vulnerable; migrate to 12.4(10)
> or later |
> |-------------------------+-----------------------------------
> --------|
> | 12.3BC | 12.3(17b)BC5 |
> 12.3(21)BC |
> |-------------------------+-----------------------------+-----
> --------|
> | 12.3JA | |
> 12.3(11)JA |
> |-------------------------+-----------------------------+-----
> --------|
> | 12.3JEA | |
> 12.3(8)JEA |
> |-------------------------+-----------------------------------
> --------|
> | 12.3JK | Vulnerable; contact TAC
> |
> |-------------------------+-----------------------------------
> --------|
> | 12.3JX | Vulnerable; contact TAC
> |
> |-------------------------+-----------------------------------
> --------|
> | 12.3T | Vulnerable; migrate to 12.4(10)
> or later |
> |-------------------------+-----------------------------------
> --------|
> | 12.3TPC | Vulnerable; contact TAC
> |
> |-------------------------+-----------------------------------
> --------|
> | 12.3XA | Vulnerable; contact TAC
> |
> |-------------------------+-----------------------------------
> --------|
> | 12.3XB | Vulnerable; migrate to 12.4(10)
> or later |
> |-------------------------+-----------------------------------
> --------|
> | 12.3XC | Vulnerable; contact TAC
> |
> |-------------------------+-----------------------------------
> --------|
> | 12.3XD | Vulnerable; migrate to 12.4(10)
> or later |
> |-------------------------+-----------------------------------
> --------|
> | 12.3XE | Vulnerable; contact TAC
> |
> |-------------------------+-----------------------------------
> --------|
> | 12.3XF | Vulnerable; migrate to 12.4(10)
> or later |
> |-------------------------+-----------------------------------
> --------|
> | 12.3XG | Vulnerable; contact TAC
> |
> |-------------------------+-----------------------------------
> --------|
> | 12.3XH | Vulnerable; migrate to 12.4(10)
> or later |
> |-------------------------+-----------------------------------
> --------|
> | 12.3XI | Vulnerable; contact TAC
> |
> |-------------------------+-----------------------------------
> --------|
> | 12.3XJ | Vulnerable; migrate to 12.4(11)T
> or later |
> |-------------------------+-----------------------------------
> --------|
> | 12.3XK | Vulnerable; contact TAC
> |
> |-------------------------+-----------------------------------
> --------|
> | 12.3XQ | Vulnerable; migrate to 12.4(10)
> or later |
> |-------------------------+-----------------------------------
> --------|
> | 12.3XR | Vulnerable; contact TAC
> |
> |-------------------------+-----------------------------------
> --------|
> | 12.3XS | Vulnerable; migrate to 12.4(10)
> or later |
> |-------------------------+-----------------------------------
> --------|
> | 12.3XU | Vulnerable; migrate to 12.4(11)T
> or later |
> |-------------------------+-----------------------------------
> --------|
> | 12.3XW | Vulnerable; migrate to 12.4(11)T
> or later |
> |-------------------------+-----------------------------------
> --------|
> | 12.3XX | 12.3(8)XX2d |
> |
> |-------------------------+-----------------------------------
> --------|
> | 12.3YA | Vulnerable; contact TAC
> |
> |-------------------------+-----------------------------------
> --------|
> | 12.3YD | Vulnerable; migrate to 12.4(11)T
> or later |
> |-------------------------+-----------------------------------
> --------|
> | 12.3YF | Vulnerable; migrate to 12.4(11)T
> or later |
> |-------------------------+-----------------------------------
> --------|
> | 12.3YG | Vulnerable; migrate to 12.4(11)T
> or later |
> |-------------------------+-----------------------------------
> --------|
> | 12.3YH | Vulnerable; migrate to 12.4(11)T
> or later |
> |-------------------------+-----------------------------------
> --------|
> | 12.3YI | Vulnerable; migrate to 12.4(11)T
> or later |
> |-------------------------+-----------------------------------
> --------|
> | 12.3YK | Vulnerable; migrate to 12.4(11)T
> or later |
> |-------------------------+-----------------------------------
> --------|
> | 12.3YQ | Vulnerable; migrate to 12.4(11)T
> or later |
> |-------------------------+-----------------------------------
> --------|
> | 12.3YS | Vulnerable; migrate to 12.4(11)T
> or later |
> |-------------------------+-----------------------------------
> --------|
> | 12.3YT | Vulnerable; migrate to 12.4(11)T
> or later |
> |-------------------------+-----------------------------------
> --------|
> | 12.3YU | Vulnerable; contact TAC
> |
> |-------------------------+-----------------------------------
> --------|
> | 12.3YX | Vulnerable; migrate to 12.4(11)T
> or later |
> |-------------------------+-----------------------------------
> --------|
> | 12.3YZ | Vulnerable; contact TAC
> |
> |-------------------------+-----------------------------------
> --------|
> | Affected 12.4-Based | Rebuild |
> Maintenance |
> | Release | |
> |
> |-------------------------+-----------------------------+-----
> --------|
> | 12.4 | |
> 12.4(10) |
> |-------------------------+-----------------------------+-----
> --------|
> | 12.4T | |
> 12.4(11)T |
> |-------------------------+-----------------------------------
> --------|
> | 12.4XA | Vulnerable; contact TAC
> |
> |-------------------------+-----------------------------------
> --------|
> | 12.4XB | Vulnerable; contact TAC
> |
> |-------------------------+-----------------------------------
> --------|
> | 12.4XC | 12.4(4)XC6 |
> |
> |-------------------------+-----------------------------+-----
> --------|
> | 12.4XD | 12.4(4)XD5 |
> |
> |-------------------------+-----------------------------------
> --------|
> | 12.4XE | Vulnerable; contact TAC
> |
> |-------------------------+-----------------------------------
> --------|
> | 12.4XP | Vulnerable; contact TAC
> |
> |-------------------------+-----------------------------------
> --------|
> | 12.4XT | Vulnerable; contact TAC
> |
> +-------------------------------------------------------------
> --------+
>
> Workarounds
> ===========
>
> The only way to prevent a device from being susceptible to the listed
> vulnerabilities is to disable the affected service(s).
> However, if regular
> maintenance and operation of the device relies on these
> services, there is no
> workaround.
>
> It is possible to mitigate these vulnerabilities by
> preventing unauthorized
> hosts from accessing affected devices. Additional mitigations
> that can be
> deployed on Cisco devices within the network are available in
> the Cisco Applied
> Intelligence companion document for this advisory. This
> companion document is
> available at the following link:
>
>
> Control Plane Policing (CoPP)
> +----------------------------
>
> Control Plane Policing: IOS software versions that support
> Control Plane
> Policing (CoPP) can be configured to help protect the device
> from attacks that
> target the management and control planes. CoPP is available
> in Cisco IOS
> release trains 12.0S, 12.2SX, 12.2S, 12.3T, 12.4, and 12.4T.
>
> In the following CoPP example, the ACL entries that match the
> exploit packets
> with the permit action will be discarded by the policy-map
> drop function, while
> packets that match a "deny" action (not shown) are not affected by the
> policy-map drop function:
>
> ! Include deny statements up front for any
> protocols/ports/IP addresses that
> !-- should not be impacted by CoPP
>
> ! Include permit statements for the protocols/ports that
> will be governed by CoPP
> access-list 100 permit tcp any any eq 443
>
> !-- Permit (Police or Drop)/Deny (Allow) all other Layer3
> and Layer4
> !-- traffic in accordance with existing security policies and
> !-- configurations for traffic that is authorized to be sent
> !-- to infrastructure devices.
> !
> !-- Create a Class-Map for traffic to be policed by
> !-- the CoPP feature.
> !
> class-map match-all drop-SSL-class
> match access-group 100
>
> !
> !-- Create a Policy-Map that will be applied to the
> !-- Control-Plane of the device.
> !
> policy-map drop-SSL-policy
> class drop-SSL-class
> drop
>
> !-- Apply the Policy-Map to the Control-Plane of the
> !-- device.
> !
> control-plane
> service-policy input drop-SSL-policy
>
>
> Please note that in the 12.0S, 12.2S, and 12.2SX Cisco IOS trains, the
> policy-map syntax is different, as demonstrated by the following:
>
> policy-map drop-SSL-policy
> class drop-SSL-class
> police 32000 1500 1500 conform-action drop exceed-action drop
>
>
> NOTE: In the above CoPP example, the ACL entries with the
> "permit" action that
> match the exploit packets result in the discarding of those
> packets by the
> policy-map drop function, while packets that match the "deny"
> action are not
> affected by the policy-map drop function.
>
> Additional information on the configuration and use of the
> CoPP feature
> is available at the following links:
>
> r0900aecd804fa16a.shtml
> and
>
> s_feature_guide09186a008052446b.html
>
> Access Control List (ACL)
> +------------------------
>
> An Access Control List (ACL) can be used to help mitigate
> attacks targeting
> these vulnerabilities. ACLs can specify that only packets
> from legitimate
> sources are permitted to reach a device, and all others are
> to be dropped. The
> following example shows how to allow legitimate SSL sessions
> from trusted
> sources and deny all other SSL sessions:
>
> access-list 101 permit tcp host
> <legitimate_host_IP_address> host <router_IP_address> port 443
> access-list 101 deny tcp any any port 443
>
>
> Obtaining Fixed Software
> ========================
>
> Cisco has made free software available to address this
> vulnerability for
> affected customers. Prior to deploying software, customers
> should consult their
> maintenance provider or check the software for feature set
> compatibility and
> known issues specific to their environment.
>
> Customers may only install and expect support for the feature
> sets they have
> purchased. By installing, downloading, accessing or otherwise
> using such
> software upgrades, customers agree to be bound by the terms
> of Cisco's software
> license terms found at
> ,
> or as otherwise set forth at Cisco.com Downloads at
> .
>
> Do not contact either "psirt@xxxxxxxxx" or
> "security-alert@xxxxxxxxx" for
> software upgrades.
>
> Customers with Service Contracts
> +-------------------------------
>
> Customers with contracts should obtain upgraded software through their
> regular update channels. For most customers, this means that upgrades
> should be obtained through the Software Center on Cisco's worldwide
> website at .
>
> Customers using Third-party Support Organizations
> +------------------------------------------------
>
> Customers whose Cisco products are provided or maintained
> through prior or
> existing agreement with third-party support organizations
> such as Cisco
> Partners, authorized resellers, or service providers should
> contact that
> support organization for guidance and assistance with the
> appropriate course of
> action in regards to this advisory.
>
> The effectiveness of any workaround or fix is dependent on
> specific customer
> situations such as product mix, network topology, traffic
> behavior, and
> organizational mission. Due to the variety of affected
> products and releases,
> customers should consult with their service provider or
> support organization to
> ensure any applied workaround or fix is the most appropriate
> for use in the
> intended network before it is deployed.
>
> Customers without Service Contracts
> +----------------------------------
>
> Customers who purchase direct from Cisco but who do not hold
> a Cisco service
> contract and customers who purchase through third-party
> vendors but are
> unsuccessful at obtaining fixed software through their point
> of sale should get
> their upgrades by contacting the Cisco Technical Assistance
> Center (TAC). TAC
> contacts are as follows.
>
> * +1 800 553 2447 (toll free from within North America)
> * +1 408 526 7209 (toll call from anywhere in the world)
> * e-mail: tac@xxxxxxxxx
>
> Have your product serial number available and give the URL of
> this notice as
> evidence of your entitlement to a free upgrade. Free upgrades
> for non-contract
> customers must be requested through the TAC.
>
> Refer to
> for
> additional TAC contact information, including special
> localized telephone
> numbers and instructions and e-mail addresses for use in
> various languages.
>
> Exploitation and Public Announcements
> =====================================
>
> The Cisco PSIRT is not aware of any public announcements or
> malicious use of
> the vulnerabilities described in this Advisory.
>
> These vulnerabilities were discovered by Cisco during
> internal testing.
>
> Status of This Notice: FINAL
> ============================
>
> THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT
> IMPLY ANY KIND OF
> GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
> MERCHANTABILITY OR FITNESS
> FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE
> DOCUMENT OR MATERIALS
> LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES
> THE RIGHT TO
> CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
>
> A stand-alone copy or Paraphrase of the text of this document
> that omits the
> distribution URL in the following section is an uncontrolled
> copy, and may lack
> important information or contain factual errors.
>
> Distribution
> ============
>
> This advisory is posted on Cisco's worldwide website at
> .
>
> In addition to worldwide web posting, a text version of this notice is
> clear-signed with the Cisco PSIRT PGP key and is posted to
> the following e-mail
> and Usenet news recipients.
>
> * cust-security-announce@xxxxxxxxx
> * first-teams@xxxxxxxxx
> * bugtraq@xxxxxxxxxxxxxxxxx
> * vulnwatch@xxxxxxxxxxxxx
> * cisco@xxxxxxxxxxxxxxxxx
> * cisco-nsp@xxxxxxxxxxxxxxx
> * full-disclosure@xxxxxxxxxxxxxxxxx
> * comp.dcom.sys.cisco@xxxxxxxxxxxxxxxxxx
>
> Future updates of this advisory, if any, will be placed on
> Cisco's worldwide
> website, but may or may not be actively announced on mailing lists or
> newsgroups. Users concerned about this problem are encouraged
> to check the
> above URL for any updates.
>
> Revision History
> ================
>
> +-------------------------------------------------------------
> --------+
> | Revision 1.0 | 2007-May-22 | Initial public
> release. |
> +-------------------------------------------------------------
> --------+
>
> Cisco Security Procedures
> =========================
>
> Complete information on reporting security vulnerabilities in
> Cisco products,
> obtaining assistance with security incidents, and registering
> to receive
> security information from Cisco, is available on Cisco's
> worldwide website at
>
> ility_policy.html
> This includes instructions for press inquiries regarding
> Cisco security
> notices. All Cisco security advisories are available at
> .
>
> -
> --------------------------------------------------------------
> -----------------
> All contents are Copyright 2006-2007 Cisco Systems, Inc. All
> rights reserved.
> -
> --------------------------------------------------------------
> -----------------
>
> Updated: May 22, 2007
> Document ID: 91888
>
> -
> --------------------------------------------------------------
> -----------------
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2.2 (GNU/Linux)
>
> iD8DBQFGUv7w8NUAbBmDaxQRAt2eAJ9HfpjbjdXCbden9C3cegJgptT6fgCgscZ4
> Ce+S5/oA5GrNfmtT4Taqm20=
> =IRzP
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter:
> Hosted and sponsored by Secunia -
>
