Guest

Product Support

Vulnerabilities in Cisco IOS Secure Shell Server

Advisory ID: cisco-sa-20050406-ssh

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20050406-ssh

Revision 1.1

For Public Release 2005 April 6 16:00  UTC (GMT)


Summary

Certain release trains of Cisco Internetwork Operating System (IOS)®, when configured to use the IOS Secure Shell (SSH) server in combination with Terminal Access Controller Access Control System Plus (TACACS+) as a means to perform remote management tasks on IOS devices, may contain two vulnerabilities that can potentially cause IOS devices to exhaust resources and reload. Repeated exploitation of these vulnerabilities can result in a Denial of Service (DoS) condition. Use of SSH with other authentication methods like Remote Authentication Dial In User Service (RADIUS) and the local user database may also be affected.

Cisco has made free software available to address these vulnerabilities for all affected customers. There are workarounds available to mitigate the effects of the vulnerability (see the Workarounds section.)

This advisory will be posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20050406-ssh.

Affected Products

This section provides details on affected products.

Vulnerable Products

These issues affect any Cisco device running an unfixed version of Cisco IOS that supports, and is configured to use, the SSH server functionality.

To determine the software running on a Cisco product, log in to the device and issue the show version command to display the system banner. Cisco IOS Software will identify itself as "Internetwork Operating System Software" or simply "IOS." The image name will be displayed between parentheses shortly after this identification (possibly in the next line), followed by "Version" and the IOS release name. Other Cisco devices will not have the show version command or will give different output.

The following example identifies a Cisco device running IOS release 12.2(15)T14 (release train label "12.2T") with an installed image name of C806-K9OSY6-M:

Router1> show version
Cisco Internetwork Operating System Software
IOS (tm) C806 Software (C806-K9OSY6-M), Version 12.2(15)T14, RELEASE SOFTWARE (fc4)
[...]

The next example shows a device running IOS release 12.3(10) (release train label "12.3 mainline") with an image name of C2600-IK9OS3-M:

Router2> show version
Cisco Internetwork Operating System Software
IOS (tm) C2600 Software (C2600-IK9O3S3-M), Version 12.3(10), RELEASE SOFTWARE (fc3)
[...]

Additional information about Cisco IOS release naming can be found at http://www.cisco.com/warp/public/620/1.html.

SSH protocol was introduced in the following IOS release trains:

  • IOS 12.0S (SSH version 1)
  • IOS 12.1T (SSH version 1)
  • IOS 12.2 (SSH version 1)
  • IOS 12.2T (SSH version 1)
  • IOS 12.3T (SSH version 2)

To determine if the IOS image that your IOS device is running supports the server side of the SSH protocol, whether it is enabled (if supported), and the SSH protocol version being used (if SSH is supported and enabled), use the show ip ssh command in global mode:

Router> show ip ssh
SSH Enabled - version 1.5
Authentication timeout: 120 secs; Authentication retries: 3

The previous output shows that SSH is enabled on this device and that the SSH protocol major version that is being supported is 1. Possible values for the SSH protocol version reported by IOS are:

  • 1.5: only SSH protocol version 1 is enabled.
  • 1.99: SSH protocol version 2 with SSH protocol version 1 compatibility enabled.
  • 2.0: only SSH protocol version 2 is enabled.

For more information about SSH versions in IOS, please check the following URL: http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gt_ssh2.html.

Note:  SSH protocols versions 1 and 2 cannot interoperate, but usually a SSH server knows how to handle connections from clients using either version of the protocol, but in most cases the server has to be explicitly configured to do this. The latest revision of protocol version 1 is "1.5", which is documented in a now expired Internet Engineering Task Force (IETF) draft.

The show ip ssh command was introduced in IOS release 12.1(1)T. If this command is not available then the IOS image in use does not have SSH server support and therefore it is not vulnerable to the issues discussed in this advisory.

As you will see in the Details section, the behavior of the vulnerabilities described in this document can depend on the version of the SSH protocol that the IOS device is using. Therefore, it is important to use the show ip ssh command as shown above to obtain this information.

When the show ip ssh command is executed on an image that does not support SSH the following output will be generated:

Router> show ip ssh
                ^
% Invalid input detected at '^' marker.

Router>

Finally, even if the release and image running on an IOS device support SSH, the SSH server may not be enabled. The following example shows the output from the show ip ssh command on a device that supports SSH but that does not have the SSH server enabled (note the "SSH Disabled" message):

Router> show ip ssh
SSH Disabled - version 1.5
%Please create RSA keys to enable SSH.
Authentication timeout: 120 secs; Authentication retries: 3
Router>

Products Confirmed Not Vulnerable

Devices not running IOS, running an IOS train without the SSH server functionality, or running an IOS version supporting SSH but without the SSH server enabled are not affected.

See the Affected Products section for a detailed list of IOS release trains that implement the SSH functionality. In particular, the following IOS release train do not contain any SSH code:

  • All IOS versions prior to 12.0.
  • IOS 12.0 (mainline - the "S" train supports SSH and is affected.)
  • IOS 12.1 (mainline - the "T" train supports SSH and is affected.)

Additionally, while 12.3 mainline does support the SSH server functionality it is not vulnerable to the issues discussed in this document. For all other releases and trains, please check the Software Versions and Fixes section.

Cisco IOS XR is not affected.

No other Cisco products are currently known to be affected by these vulnerabilities.

Details

Secure Shell (SSH) is a protocol that provides a secure, remote connection to a network device. There are currently two versions of the SSH protocol, SSH Version 1 and SSH Version 2, both of which are supported by Cisco IOS. The SSH server component of IOS identifies itself as version "1.5" if running only version 1.0 of the protocol, as version "2.0" if running only version 2 of the protocol, and as version "1.99" if running protocol version 2 with fall-back to protocol version 1.

The SSH server feature of IOS enables a SSH client to make a secure, encrypted connection to a Cisco IOS device. This connection provides functionality that is similar to a telnet connection with the difference that all traffic between the server and the client, including authentication information, travels encrypted through the wires.

TACACS provides a way to centrally validate users attempting to gain access to servers, workstations, routers, switches, access servers, and other network devices.

The two vulnerabilities described in this document can cause denial of service (DoS) conditions that affect IOS devices configured to use the IOS SSH server feature for remote management.

The first vulnerability may cause a device to reload when the IOS device is configured to act as a SSH version 2 server and any of the following events occurs:

  • The device is configured to authenticate users against a TACACS+ server (via a command like aaa authentication login <group name> group tacacs+ local) and the account username includes a domain name. This condition does not apply to devices configured to authenticate via different methods, like a RADIUS server or the local user database.
  • A new SSH session is in the authentication phase (the server is waiting for a username or password) and another, already logged-in user uses the send command. This condition applies to any authentication method, including TACACS+, RADIUS, and the local user database.
  • Logging of messages is being directed to a SSH session that is already established (through the terminal monitor command) and the SSH session to the IOS device terminates while the SSH server is still sending data to the client. This condition applies to any authentication method, including TACACS+, RADIUS, and the local user database.

This vulnerability is documented in the Cisco bug ID CSCed65778 ( registered customers only) -- Crash in SSHv2 due to TACACS+ username containing domain name.

Note:  this vulnerability affects SSH protocol version 2. SSH protocol version 1 is not affected.

The second vulnerability consists of a memory leak that happens when an IOS device is configured to authenticate SSH users against a TACACS+ server and the login fails due to an invalid username or password. This affects both SSH version 1 and version 2 connections. In the case of SSH version 2 connections, the memory leak occurs even after a successful login. Please note that the device is not affected if users are being authenticated against a RADIUS server or the local user database.

The memory leak can be detected by running the command show tcp brief, like in the following example:

Router# show tcp brief
TCB       Local Address           Foreign Address        (state)
637202B8  10.0.0.19.13294       172.16.112.29.49       ESTAB
6371C978  10.0.0.19.13233       172.16.112.29.49       ESTAB
636CB228  10.0.0.19.13041       172.16.112.29.49       CLOSEWAIT
636B6900  10.0.0.19.12912       172.16.112.29.49       CLOSEWAIT
63697548  10.0.0.19.12848       172.16.112.29.49       CLOSEWAIT
63687930  10.0.0.19.12784       172.16.112.29.49       CLOSEWAIT
635F4A80  10.0.0.19.12659       172.16.112.29.49       CLOSEWAIT

In the output above, those Transmission Control Blocks (TCBs) in the state CLOSEWAIT will not go away and represent memory leaks. Please note that only TCP connections with a foreign TCP port of 49 (the well-known port for TACACS) are relevant.

This vulnerability is documented in the Cisco bug ID CSCed65285 ( registered customers only) -- SSH leaks memory and buffers.

Vulnerability Scoring Details

Impact

Successful exploitation of the vulnerability described in Cisco bug ID CSCed65778 ( registered customers only) may result in a reload of the device. Repeated exploitation could result in a sustained denial of service condition.

Successful exploitation of the vulnerability described in Cisco bug ID CSCed65285 ( registered customers only) may result in resource depletion. Repeated exploitation could cause a reload of the device, which in turn could result in a sustained denial of service condition.

Software Versions and Fixes

Each row of the Cisco IOS software table (below) describes a release train and the platforms or products for which it is intended. If a given release train is vulnerable, then the earliest possible releases that contain the fix (the "First Fixed Release") and the anticipated date of availability for each are listed in the "Rebuild" and "Maintenance" columns. A device running a release in the given train that is earlier than the release in a specific column (less than the First Fixed Release) is known to be vulnerable. The release should be upgraded at least to the indicated release or a later version (greater than or equal to the First Fixed Release label).

For further information on the terms "Rebuild" and "Maintenance" please consult the following URL:

http://www.cisco.com/warp/public/620/1.html

When considering software upgrades, please also consult http://www.cisco.com/en/US/products/products_security_advisories_listing.html and any subsequent advisories to determine exposure and a complete upgrade solution.

In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center ("TAC") for assistance.

Major Release

Availability of Repaired Releases

Affected 12.0-Based Release

Rebuild

Maintenance

12.0S

12.0(26)S5

12.0(27)S4

12.0(28)S2

12.0(30)S

12.0SC

Vulnerable; contact TAC

12.0SL

Migrate to 12.0(26)S5 or later

12.0SP

Migrate to 12.0(26)S5 or later

12.0ST

Migrate to 12.0(26)S5 or later

12.0SX

12.0(30)SX

12.0SY

Migrate to 12.0(26)S5 or later

12.0SZ

Migrate to 12.0(26)S5 or later

12.0XK

Migrate to 12.2(26) or later

Affected 12.1-Based Release

Rebuild

Maintenance

12.1AX

Migrate to 12.2(25)EY or later

12.1AY

12.1(4)AY4

12.1AZ

Migrate to 12.1(22)EA1 or later

12.1DB

Migrate to 12.3(4)T11 or later

12.1DC

Vulnerable; contact TAC

12.1E

12.1(23)E

12.1EA

12.1(22)EA1

12.1EB

12.1(23)EB

12.1EC

Migrate to 12.3BC latest

12.1EU

Migrate to 12.2(20)EU or later

12.1EV

Migrate to 12.2(24)SV or later

12.1EW

Migrate to 12.2(18)EW2 or later

12.1EX

Migrate to 12.1(23)E or later

12.1EY

Migrate to 12.1(23)E or later

12.1EZ

Vulnerable; contact TAC

12.1T

Migrate to 12.2(26) or later

12.1XA

Migrate to 12.2(26) or later

12.1XB

Migrate to 12.2(26) or later

12.1XC

Migrate to 12.2(26) or later

12.1XD

Migrate to 12.2(26) or later

12.1XE

Migrate to 12.1(23)E or later

12.1XF

Migrate to 12.2(26) or later

12.1XG

Migrate to 12.3(8)T or later

12.1XH

Migrate to 12.2(26) or later

12.1XI

Migrate to 12.2(26) or later

12.1XJ

Migrate to 12.3 or later

12.1XL

Migrate to 12.3(8)T or later

12.1XM

Migrate to 12.3(8)T or later

12.1XP

Migrate to 12.2(26) or later

12.1XQ

Migrate to 12.3(8)T or later

12.1XR

Migrate to 12.3(8)T or later

12.1XT

Migrate to 12.3(8)T or later

12.1XU

Migrate to 12.3(8)T or later

12.1XV

Migrate to 12.3(8)T or later

12.1YA

Migrate to 12.3(8)T or later

12.1YB

Migrate to 12.3(8)T or later

12.1YC

Migrate to 12.3(8)T or later

12.1YD

Migrate to 12.3(8)T or later

12.1YE

Migrate to 12.3(8)T or later

12.1YF

Migrate to 12.3(8)T or later

12.1YH

Migrate to 12.3(8)T or later

12.1YI

Migrate to 12.3(8)T or later

12.1YJ

Migrate to 12.1(22)EA1 or later

Affected 12.2-Based Release

Rebuild

Maintenance

12.2

12.2(26)

12.2B

Migrate to 12.3(8)T or later

12.2BC

Migrate to 12.3BC latest

12.2BW

Migrate to 12.3 or later

12.2BY

Migrate to 12.3(8)T or later

12.2BZ

Migrate to 12.3(7)XI3 or later

12.2CX

Migrate to 12.3BC latest

12.2CY

Migrate to 12.3BC latest

12.2DD

Migrate to 12.3(8)T or later

12.2DX

Migrate to 12.3(8)T or later

12.2EU

12.2(20)EU

12.2EW

12.2(18)EW2

12.2(25)EW

12.2EWA

12.2(20)EWA

12.2EX

Migrate to 12.2(25)SEA

12.2EY

12.2(25)EY

12.2EZ

12.2(25)EZ

12.2MB

Migrate to 12.2SW latest

12.2MC

Migrate to 12.3(8)T or later

12.2S

12.2(14)S13

12.2(18)S7

12.2(20)S7

12.2(25)S

12.2SE

12.2(20)SE4

12.2(25)SE

12.2SEA

12.2(25)SEA

12.2SEB

12.2(25)SEB

12.2SU

Migrate to 12.3(8)T or later

12.2SV

12.2(24)SV

12.2SX

Migrate to 12.2(17d)SXB1

12.2SXA

Migrate to 12.2(17d)SXB1

12.2SXB

12.2(17d)SXB1

12.2SXD

12.2(18)SXD

12.2SY

Migrate to 12.2(17d)SXB1

12.2SZ

Migrate to 12.2(20)S7 or later

12.2T

Migrate to 12.3(8)T or later

12.2XA

Migrate to 12.3(8)T or later

12.2XB

Migrate to 12.3(8)T or later

12.2XC

Migrate to 12.3(8)T or later

12.2XD

Migrate to 12.3(8)T or later

12.2XE

Migrate to 12.3(8)T or later

12.2XF

Migrate to 12.3BC latest

12.2XG

Migrate to 12.3(8)T or later

12.2XH

Migrate to 12.3(8)T or later

12.2XI

Migrate to 12.3(8)T or later

12.2XJ

Migrate to 12.3(8)T or later

12.2XK

Migrate to 12.3(8)T or later

12.2XL

Migrate to 12.3 or later

12.2XM

Migrate to 12.3 or later

12.2XN

Migrate to 12.3(8)T or later

12.2XQ

Migrate to 12.3(8)T or later

12.2XR

Vulnerable; contact TAC

12.2XS

Migrate to 12.3(8)T or later

12.2XT

Migrate to 12.3(8)T or later

12.2XU

Migrate to 12.3(14)T

12.2XW

Migrate to 12.3 or later

12.2YA

Migrate to 12.3 or later

12.2YB

Migrate to 12.3 or later

12.2YC

Migrate to 12.3(8)T or later

12.2YD

Migrate to 12.3(8)T or later

12.2YE

Migrate to 12.2S or later

12.2YF

Migrate to 12.3 or later

12.2YG

Migrate to 12.3 or later

12.2YH

Migrate to 12.3 or later

12.2YJ

Migrate to 12.3 or later

12.2YK

Migrate to 12.3(8)T or later

12.2YL

Migrate to 12.3(8)T or later

12.2YM

Migrate to 12.3(8)T or later

12.2YN

Migrate to 12.3(8)T or later

12.2YO

Migrate to 12.2(17d)SXB1

12.2YP

Migrate to 12.3 or later

12.2YQ

Migrate to 12.3(8)T or later

12.2YR

Migrate to 12.3(8)T or later

12.2YW

Migrate to 12.3(8)T or later

12.2YX

Migrate to 12.3(11)T3 or later

12.2YY

Migrate to 12.3(8)T or later

12.2YZ

Migrate to 12.2(20)S7 or later

12.2ZA

Migrate to 12.2(17d)SXB1 or later

12.2ZB

Migrate to 12.3(8)T or later

12.2ZC

Migrate to 12.3(8)T or later

Affected 12.3-Based Release

Rebuild

Maintenance

12.3JA

12.3(4)JA

12.3T

12.3(4)T11

12.3(7)T7

12.3(8)T

12.3XD

Migrate to 12.3(8)T or later

12.3XE

Migrate to 12.3(8)T or later

12.3XF

Migrate to 12.3(11)T or later

12.3XG

Migrate to 12.3(11)T or later

12.3XH

Migrate to 12.3(11)T or later

12.3XI

12.3(7)XI3

12.3XJ

Migrate to 12.3(8)XW

12.3XK

Migrate to 12.3(14)T

12.3XL

12.3(11)XL

12.3XM

12.3(7)XM

12.3XQ

12.3(4)XQ1

12.3XR

12.3(7)XR

12.3XS

12.3(7)XS

12.3XU

12.3(8)XU

12.3XW

12.3(8)XW

12.3XX

12.3(8)XX

12.3XY

12.3(8)XY

12.3YA

12.3(8)YA

12.3YD

12.3(8)YD

12.3YF

12.3(11)YF

12.3YG

12.3(8)YG

12.3YH

12.3(8)YH

12.3YJ

12.3(11)YJ

12.3YK

12.3(11)YK

Workarounds

The effectiveness of any workaround is dependent on specific customer situations such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround is the most appropriate for use in the intended network before it is deployed.

Mitigation Strategies

Not all of the mitigation strategies listed will work for all customers. Some of the workarounds listed are dependent on which versions and feature-sets of IOS you have in your network.

Configuring a VTY Access Class

It is possible to limit the exposure of the Cisco device by applying a VTY access class to permit only known, trusted hosts to connect to the device via SSH.

For more information on restricting traffic to VTYs, please consult:

http://www.cisco.com/en/US/docs/ios/12_2/ipaddr/command/reference/1rfip1.html#wp1017389.

The following example permits access to VTYs from the 192.168.1.0/24 netblock and the single IP address 172.16.1.2 while denying access from anywhere else:

Router(config)# access-list 1 permit 192.168.1.0 0.0.0.255
Router(config)# access-list 1 permit host 172.16.1.2
Router(config)# line vty 0 4
Router(config-line)# access-class 1 in

Different Cisco platforms support different numbers of terminal lines. Check your device's configuration to determine the correct number of terminal lines for your platform.

Configuring Access Lists (ACLs)

In addition to configuring a VTY Access Class, it may be desirable to block all SSH traffic destined to your network infrastructure.

Telnet and reverse telnet should be blocked as part of a Transit ACL controlling all access to the trusted network. Transit ACLs are considered a network security best practice and should be considered as a long-term addition to good network security, as well as a workaround for this specific vulnerability. The white paper entitled "Transit Access Control Lists: Filtering at Your Edge" presents guidelines and recommended deployment techniques for transit ACLs:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801afc76.shtml

Configuring Infrastructure Access Lists (iACLs)

Although it is often difficult to block traffic transiting your network, it is possible to identify traffic which should never be allowed to target your infrastructure devices and block that traffic at the border of your network. Infrastructure ACLs are considered a network security best practice and should be considered as a long-term addition to good network security as well as a workaround for this specific vulnerability. The white paper entitled "Protecting Your Core: Infrastructure Protection Access Control Lists" presents guidelines and recommended deployment techniques for infrastructure protection ACLs:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801a1a55.shtml

Configuring Receive Access Lists (rACLs)

For distributed platforms, rACLs may be an option starting in Cisco IOS Software Versions 12.0(21)S2 for the 12000 series GSR and 12.0(24)S for the 7500 series. The receive access lists protect the device from harmful traffic before the traffic can impact the route processor. Receive path ACLs are considered a network security best practice, and should be considered as a long-term addition to good network security, as well as a workaround for this specific vulnerability. The CPU load is distributed to the line card processors and helps mitigate load on the main route processor. The white paper entitled "GSR: Receive Access Control Lists" will help identify and allow legitimate traffic to your device and deny all unwanted packets:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801a0a5e.shtml

Control Plane Policing

The Control Plane Policy (CoPP) feature may be used to mitigate this vulnerability, as in the following example:

! Do not police SSH traffic from trusted hosts
access-list 140 deny   tcp host <trusted host 1's IP address> any eq 22
access-list 140 deny   tcp host <trusted host 2's IP address> any eq 22
[...]
access-list 140 deny   tcp host <trusted host N's IP address> any eq 22
! Trust an entire network if desired
access-list 140 deny   tcp <trusted network address> <trusted network mask> any eq 22
! Police SSH traffic from untrusted hosts
access-list 140 permit tcp any any eq 22
! Do not police any other type of traffic going to the router
access-list 140 deny   ip  any any
!
class-map match-all ssh-class
  match access-group 140
!
policy-map control-plane-policy
  ! Drop all traffic that matches the class "ssh-class"
  class ssh-class
     drop
!
control-plane
  service-policy input control-plane-policy

Note: CoPP is available only in IOS release trains 12.0S, 12.2S and 12.3T. Additional information on the configuration and use of the CoPP feature can be found at the following URL: http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6642/prod_white_paper0900aecd804fa16a.html

Obtaining Fixed Software

Cisco has made free software available to address this vulnerability for affected customers. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment.

Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/public/sw-license-agreement.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml.

Do not contact either "psirt@cisco.com" or "security-alert@cisco.com" for software upgrades.

Customers with Service Contracts

Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com.

Customers using Third Party Support Organizations

Customers whose Cisco products are provided or maintained through prior or existing agreement with third-party support organizations such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory.

The effectiveness of any workaround or fix is dependent on specific customer situations such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed.

Customers without Service Contracts

Customers who purchase direct from Cisco but who do not hold a Cisco service contract and customers who purchase through third-party vendors but are unsuccessful at obtaining fixed software through their point of sale should get their upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows.

  • +1 800 553 2447 (toll free from within North America)
  • +1 408 526 7209 (toll call from anywhere in the world)
  • e-mail: tac@cisco.com

Have your product serial number available and give the URL of this notice as evidence of your entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC.

Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including special localized telephone numbers and instructions and e-mail addresses for use in various languages.

Exploitation and Public Announcements

The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory.

This vulnerability was discovered by Cisco during internal testing.

Status of this Notice: Final

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors.


Distribution

This advisory will be posted on Cisco's worldwide website at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20050406-ssh.

In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients.

  • cust-security-announce@cisco.com
  • first-teams@first.org (includes CERT/CC)
  • bugtraq@securityfocus.com
  • cisco@spot.colorado.edu
  • cisco-nsp@puck.nether.net
  • full-disclosure@lists.grok.org.uk
  • comp.dcom.sys.cisco@newsgate.cisco.com

Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates.


Revision History

Revision 1.1

2005-May-03

- Clarify that 12.3 does support SSH, but it is not vulnerable.

- Updated table of fixed software.

- 12.1AZ migrates to 12.1(22)EA1, not 12.2(22)EA1.

- Correct the Access Control List entries of the Control Plane Policing example.

- Clarify that the SSH version 2 vulnerability (CSCed65778 ( registered customers only) ) affects devices using authentication methods other than TACACS+ (RADIUS and local user database, for example.)

Revision 1.0

2005-April-06

Initial Public Release

Cisco Security Procedures

Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/en/US/products/products_security_advisories_listing.html.