-
PIX Private Link is an optional feature that can be installed in Cisco PIX firewalls. PIX Private Link creates IP virtual private networks over untrusted networks, such as the Internet, using tunnels encrypted with Data Encryption Standard (DES). PIX Private Link in versions up to 4.1 uses DES in ECB ("electronic codebook") mode.
An error in parsing of configuration file commands reduces the effective key length for the PIX Private Link DES encryption to 48 bits from the nominal 56 bits.
This advisory is posted at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-19980603-pix-key.
-
This section provides details on affected products.
Vulnerable Products
All users of the PIX Private Link encryption product with PIX software versions earlier than the date of this notice are affected. This includes all PIX Private Link software through version 4.1.6.
Products Confirmed Not Vulnerable
No other Cisco products are currently known to be affected by these vulnerabilities.
-
This vulnerability has been assigned Cisco bug ID CSCdk11848. The use of ECB mode is Cisco bug ID CSCdj23353.
Affected Software Versions
This vulnerability affects all released versions of PIX Private Link software with version numbers up to and including 4.1.6, and all beta/interim software released earlier than the date of this notice.
Planned Software Fixes
The first regular release containing a fix for this problem will be version 4.2.1, which is tentatively scheduled for release in late June 1998. This schedule is subject to change. Fixes for the 4.1 software release have not yet been scheduled.
The 4.2.1 release also substitutes ECB mode with DES CBC mode.
Customers who need to upgrade immediately may contact Cisco's Technical Assistance Center (TAC) to obtain interim software. Interim software has not been subjected to full testing; it has a greater chance of containing serious bugs than would regular released software.
Interim releases are available only by special request from the Cisco TAC, not via the regular download channels. Cisco advises customers to install interim releases only if absolutely necessary. Customers who choose to install interim releases should plan to upgrade to the regular released software when it becomes available.
When the fix is installed, it will be necessary to upgrade both ends of each Private Link tunnel at the same time. This is because key the modified key parsing algorithm will lead old and new versions to derive different encryption keys from the same configuration file.
Software upgrades to correct this key-length problem will be offered free of charge to all PIX Private Link customers, regardless of their service contract status. Customers under contract may obtain upgrades through their usual procedures. Customers not under contract should call the Cisco TAC. Contact information for the TAC is in the "" section at the end of this message, and is available on Cisco's Worldwide Web site at http://www.cisco.com/.
The use of ECB mode was a deliberate design decision for the PIX Private Link product, and will not be changed. However, future IPSEC/IKE products for the PIX platforms will use other encryption modes.
-
There is no configuration workaround.
-
When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center ("TAC") or your contracted maintenance provider for assistance.
-
Cisco has had no reports of malicious exploitation of this vulnerability.
Cisco knows of no public announcements of this vulnerability before the date of this notice. This vulnerability was discovered by an engineering analysis conducted by a Cisco customer at a security incident response organization.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Revision 1.1
1998-June-16
Update to reflect change in plan; ECB mode being changed to CBC.
Revision 1.0
1998-June-03
Initial released version
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.