-
Non-Secure Shell (SSH) connection attempts to an enabled SSH service on a Cisco Catalyst 6000, 5000, or 4000 switch might cause a "protocol mismatch" error, resulting in a supervisor engine failure. The supervisor engine failure causes the switch to fail to pass traffic and reboots the switch. This problem is resolved in release 6.1(1c). Due to a very limited number of customer downloads, Cisco has chosen to notify affected customers directly.
This vulnerability has been assigned Cisco bug ID CSCds85763.
The full text of this advisory can be viewed at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20001213-catalyst-ssh-mismatch.
-
This section supplies details on affected products.
Vulnerable Products
Catalyst 6000, 5000, 4000 images with SSH support. Version 6.1(1), 6.1(1a), 6.1(1b) with 3 Data Encryption Standard (DES) features only.
Only the following images are affected:
-
cat4000-k9.6-1-1.bin
-
cat5000-sup3cvk9.6-1-1a.bin
-
cat5000-sup3k9.6-1-1.bin
-
cat5000-supgk9.6-1-1.bin
-
cat6000-sup2cvk9.6-1-1a.bin
-
cat6000-sup2k9.6-1-1a.bin
-
cat6000-supcvk9.6-1-1a.bin
-
cat6000-supk9.6-1-1a.bin
-
cat6000-sup2cvk9.6-1-1b.bin
-
cat6000-sup2k9.6-1-1b.bin
-
cat6000-supcvk9.6-1-1b.bin
-
cat6000-supk9.6-1-1b.bin
Products Confirmed Not Vulnerable
Cisco IOS 12.1 SSH implementation is not affected by this vulnerability. No other Cisco devices are affected.
-
cat4000-k9.6-1-1.bin
-
Non SSH protocol connection attempts to the SSH service cause a "protocol mismatch" error, which causes a switch to reload. SSH is not enabled by default, and must be configured by the administrator.
To verify if your image is affected, run the command show version. If the image filename is listed above, and you have enabled SSH, you are affected by this vulnerability and should upgrade to a fixed version immediately.
-
The workaround for this vulnerability is to disable SSH service. For most customers using this image, SSH support is necessary, so the recommended action is to upgrade to a fixed version.
-
This defect is resolved in Cisco Catalyst version 6.1(1c). Previous affected versions will be deferred, and will no longer be available for customer download.
-
This vulnerability was reported to Cisco by a customer who discovered the issue during routine networking tests. There has been no public disclosure, and no reports of malicious activity with regard to this vulnerability.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
1.2
2000-December-19
Updated list of affected products.
1.1
2000-December-16
Updated list of affected products.
1.0
2000-December-13
Initial public release.
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.