This vulnerability has been assigned Cisco bug ID CSCdk11848. The use
of ECB mode is Cisco bug ID CSCdj23353.
This vulnerability affects all released versions of PIX Private Link
software with version numbers up to and including 4.1.6, and all beta/interim
software released earlier than the date of this notice.
The first regular release containing a fix for this problem will be
version 4.2.1, which is tentatively scheduled for release in late June 1998.
This schedule is subject to change. Fixes for the 4.1 software release have not
yet been scheduled.
The 4.2.1 release also substitutes ECB mode with DES CBC mode.
Customers who need to upgrade immediately may contact Cisco's Technical
Assistance Center (TAC) to obtain interim software. Interim software has not
been subjected to full testing; it has a greater chance of containing serious
bugs than would regular released software.
Interim releases are available only by special request from the Cisco
TAC, not via the regular download channels. Cisco advises customers to install
interim releases only if absolutely necessary. Customers who choose to install
interim releases should plan to upgrade to the regular released software when
it becomes available.
When the fix is installed, it will be necessary to upgrade both ends of
each Private Link tunnel at the same time. This is because key the modified key
parsing algorithm will lead old and new versions to derive different encryption
keys from the same configuration file.
Software upgrades to correct this key-length problem will be offered
free of charge to all PIX Private Link customers, regardless of their service
contract status. Customers under contract may obtain upgrades through their
usual procedures. Customers not under contract should call the Cisco TAC.
Contact information for the TAC is in the "" section at the end of this message, and is available on
Cisco's Worldwide Web site at http://www.cisco.com/.
The use of ECB mode was a deliberate design decision for the PIX
Private Link product, and will not be changed. However, future IPSEC/IKE
products for the PIX platforms will use other encryption modes.