Guest

Product Support

Multiple Vulnerabilities in Cisco IOS While Processing SSL Packets

Advisory ID: cisco-sa-20070522-SSL

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20070522-SSL

Revision 1.4

For Public Release 2007 May 22 13:00  UTC (GMT)


Summary

Cisco IOS device may crash while processing malformed Secure Sockets Layer (SSL) packets. In order to trigger these vulnerabilities, a malicious client must send malformed packets during the SSL protocol exchange with the vulnerable device.

Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker to decrypt any previously encrypted information.

Cisco IOS is affected by the following vulnerabilities:

  • Processing ClientHello messages, documented as Cisco bug ID CSCsb12598 ( registered customers only)
  • Processing ChangeCipherSpec messages, documented as Cisco bug ID CSCsb40304 ( registered customers only)
  • Processing Finished messages, documented as Cisco bug ID CSCsd92405 ( registered customers only)

Cisco has made free software available to address these vulnerabilities for affected customers. There are workarounds available to mitigate the effects of these vulnerabilities.

This advisory is posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20070522-SSL

Note: Another related advisory has been posted with this advisory. This additional advisory also describes a vulnerability related to cryptography that affects Cisco IOS. This related advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20070522-crypto

Affected Products

Vulnerable Products

These vulnerabilities affect all Cisco devices running Cisco IOS software configured to use the SSL protocol. The following application layer protocols in Cisco IOS use SSL:

  • Hyper Text Transfer Protocol over SSL (HTTPS). This is the most commonly used protocol that employs SSL.
  • Cisco Network Security (CNS) Agent with SSL support
  • Firewall Support of HTTPS Authentication Proxy
  • Cisco IOS Clientless SSL VPN (WebVPN) support

Other protocols that use encryption to provide security but do not use SSL are not affected by these vulnerabilities. Specifically, IPSec and Secure Shell (SSH) are not affected.

To determine the software running on a Cisco IOS product, log in to the device and issue the show version command to display the system banner. Cisco IOS software will identify itself as "Internetwork Operating System Software" or simply "IOS." On the next line of output, the image name will be displayed between parentheses, followed by "Version" and the Cisco IOS release name. Other Cisco devices will not have the show version command, or will give different output.

Only Cisco IOS images that contain the Crypto Feature Set are vulnerable. Customers who are not running an IOS image with crypto support are not exposed to this vulnerability.

Cisco IOS feature set naming indicates that IOS images with crypto support have 'K8' or 'K9' in the feature designator field.

The following example shows output from a device running an IOS image with crypto support:

Router>show version
Cisco IOS Software, 7200 Software (C7200-IK9S-M), Version 12.3(14)T1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2005 by Cisco Systems, Inc.
Compiled Thu 31-Mar-05 08:04 by yiyan

Since the feature set designator (IK9S) contains 'K9', it can be determine that this feature set contains crypto support.

Additional information about Cisco IOS release naming is available at the following link: http://www.cisco.com/en/US/products/sw/iosswrel/ps1828/ products_white_paper09186a008018305e.shtml.

The following text describes how to recognize if any of the affected services are enabled on a device.

Hyper Text Transfer Protocol Over SSL (HTTPS)

To determine if a device has HTTPS enabled, enter the command show run | include ip http. The following example shows output from of a device that has HTTPS enabled:

Router#show run | include secure-server               
ip http secure-server

The following example shows output from a device that does not have HTTPS enabled:

Router#show run | include secure-server
no ip http secure-server

CNS Agent With SSL Support

CNS Agent with SSL support can only be enabled on devices running a Cisco IOS image that supports encryption. The following example shows output from a device that has CNS Agent configured to support SSL:

Router#show run | include cns config initial
cns config initial 10.1.1.1 encrypt no-persist

If the output does not contain the encrypt keyword the CNS Agent is not vulnerable.

Firewall Support of HTTPS Authentication Proxy

To determine if a device has authentication proxy for HTTPS enabled, enter the command show ip auth-proxy configuration. The following example shows output from a device that has authentication proxy for HTTPS enabled:

Router#show ip auth-proxy configuration 
Authentication cache time is 60 minutes
Authentication Proxy Rule Configuration
Auth-proxy name my_pxy
http list not specified auth-cache-time 1 minutes          

If the command does not produce any output, authentication proxy for HTTPS is not enabled.

Cisco IOS Clientless SSL VPN (WebVPN) Enhanced Support

To determine if a device has Cisco IOS Clientless SSL VPN (WebVPN) enhanced support enabled, enter the command show webvpn gateway. The following example shows output from a device that has Cisco IOS Clientless SSL VPN (WebVPN) enhanced support enabled:

Router#show webvpn gateway                                                         
                                                                                
Gateway Name                       Admin  Operation                             
------------                       -----  ---------                             
web-server                         up     up                                    

If the command does not produces any output, Cisco IOS Clientless SSL VPN (WebVPN) enhanced support is not enabled.

Products Confirmed Not Vulnerable

No other Cisco products are currently known to be affected by these vulnerabilities.

Details

SSL is a protocol designed to provide a secure connection between two hosts. The SSL Protocol is described in RFC4346. While not necessary for the understanding of this advisory, users are encouraged to consult the section "7.3 handshake Protocol Overview" in RFC4346 as well as Figure 1 in the same section. The text of the RFC4346 is available at the following link: http://tools.ietf.org/html/rfc4346#section-7.3.

An attacker can trigger these vulnerabilities after establishing a TCP connection, but prior to the exchange of authentication credentials, such as username/password or certificate. The requirement of the complete TCP 3-way handshake reduces the probability that these vulnerabilities will be exploited through the use of spoofed IP addresses.

An attacker intercepting traffic between two affected devices cannot exploit these vulnerabilities if the SSL session is already established because SSL protects against such injection. However, such an attack could abnormally terminate an existing session, via a TCP RST, for example. The attacker could then wait for a new SSL session to be established and inject malicious packets at the beginning of the new SSL session, thus triggering the vulnerability.

Processing ClientHello Messages May Cause Crash

A vulnerable device may crash when processing a malformed ClientHello message. The ClientHello message is the first to be sent when a client connects to a server. It can also be sent after the SSL session is established; in such cases, the message is sent within the encrypted tunnel.

This vulnerability is documented as Cisco bug ID CSCsb12598 ( registered customers only)

Processing ChangeCipherSpec Messages May Cause Crash

A vulnerable device may crash when processing a malformed ChangeCipherSpec message. The ChangeCipherSpec message can only be sent after the ClientHello and ServerHello messages are exchanged. In most cases, the ChangeCipherSpec message is sent within the encrypted tunnel.

This vulnerability is documented as Cisco bug ID CSCsb40304 ( registered customers only)

Processing Finished Messages May Cause Crash

A vulnerable device may crash when processing a malformed Finished message. This message can only be sent as a part of a SSL handshake, but not as the first message. The Finished message is always sent within the encrypted tunnel.

This vulnerability is documented as Cisco bug ID CSCsd92405 ( registered customers only)

Vulnerability Scoring Details

Cisco is providing scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS).

Cisco will provide a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks.

Cisco PSIRT will set the bias in all cases to normal. Customers are encouraged to apply the bias parameter when determining the environmental impact of a particular vulnerability.

CVSS is a standards based scoring method that conveys vulnerability severity and helps determine urgency and priority of response.

Cisco has provided an FAQ to answer additional questions regarding CVSS at http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html.

Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss.

CSCsb12598 - Processing ClientHello messages

Calculate the environmental score of CSCsb12598

CVSS Base Score - 3.3

Access Vector

Access Complexity

Authentication

Confidentiality Impact

Integrity Impact

Availability Impact

Impact Bias

Remote

Low

Not Required

None

None

Complete

Normal

Temporal Score - 2.7

Exploitability

Remediation Level

Report Confidence

Functional

Official Fix

Confirmed

CSCsb40304 - Processing ChangeCipherSpec messages

Calculate the environmental score of CSCsb40304

CVSS Base Score - 3.3

Access Vector

Access Complexity

Authentication

Confidentiality Impact

Integrity Impact

Availability Impact

Impact Bias

Remote

Low

Not Required

None

None

Complete

Normal

Temporal Score - 2.7

Exploitability

Remediation Level

Report Confidence

Functional

Official Fix

Confirmed

CSCsd92405 - Processing Finished messages

Calculate the environmental score of CSCsd92405

CVSS Base Score - 3.3

Access Vector

Access Complexity

Authentication

Confidentiality Impact

Integrity Impact

Availability Impact

Impact Bias

Remote

Low

Not Required

None

None

Complete

Normal

Temporal Score - 2.7

Exploitability

Remediation Level

Report Confidence

Functional

Official Fix

Confirmed

Vulnerability Scoring Details

Impact

Successful exploitation of any vulnerability listed in this advisory may result in the crash of the affected device. Repeated exploitation can result in a sustained DoS condition.

Software Versions and Fixes

When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution.

In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center ("TAC") or your contracted maintenance provider for assistance.

Each row of the Cisco IOS software table (below) describes a release train. If a given release train is vulnerable, then the earliest possible releases that contain the fix (the "First Fixed Release") and the anticipated date of availability for each are listed in the "Rebuild" and "Maintenance" columns. A device running a release in the given train that is earlier than the release in a specific column (less than the First Fixed Release) is known to be vulnerable. The release should be upgraded at least to the indicated release or a later version (greater than or equal to the First Fixed Release label).

For more information on the terms "Rebuild" and "Maintenance," consult the following URL: http://www.cisco.com/warp/public/620/1.html

Major Release

Availability of Repaired Releases

Affected 12.0-Based Release

Rebuild

Maintenance

12.0T

Vulnerable; migrate to 12.2(46) or later

12.0WC

12.0(5)WC17

 

12.0XE

Vulnerable; migrate to 12.1(26)E8 or later

12.0XH

Vulnerable; migrate to 12.2(46) or later

12.0XI

Vulnerable; migrate to 12.2(46) or later

12.0XK

Vulnerable; migrate to 12.2(46) or later

12.0XL

Vulnerable; migrate to 12.2(46) or later

12.0XN

Vulnerable; migrate to 12.2(46) or later

12.0XQ

Vulnerable; migrate to 12.2(46) or later

12.0XR

Vulnerable; migrate to 12.2(46) or later

12.0XV

Vulnerable; migrate to 12.2(46) or later

Affected 12.1-Based Release

Rebuild

Maintenance

12.1

Vulnerable; migrate to 12.2(46) or later

12.1AY

Vulnerable; migrate to 12.1(22)EA9 or later

12.1CX

Vulnerable; migrate to 12.2(46) or later

12.1E

12.1(26)E8

 

12.1(27b)E2; available 25-June-07

 

12.1EA

12.1(22)EA9

 

12.1EB

12.1(26)EB2; available 30-July-07

 

12.1EC

Vulnerable; migrate to 12.3(21)BC or later

12.1EW

Vulnerable; migrate to 12.2(25)EWA9 or later

12.1EX

Vulnerable; migrate to 12.1(26)E8 or later

12.1EY

Vulnerable; migrate to 12.1(26)E8 or later

12.1T

Vulnerable; migrate to 12.2(46) or later

12.1XC

Vulnerable; migrate to 12.2(46) or later

12.1XD

Vulnerable; migrate to 12.2(46) or later

12.1XF

Vulnerable; migrate 12.3(22) or later

12.1XG

Vulnerable; migrate 12.3(22) or later

12.1XH

Vulnerable; migrate to 12.2(46) or later

12.1XI

Vulnerable; migrate to 12.2(46) or later

12.1XJ

Vulnerable; migrate to 12.3(22) or later

12.1XL

Vulnerable; migrate to 12.3(22) or later

12.1XM

Vulnerable; migrate to 12.3(22) or later

12.1XP

Vulnerable; migrate to 12.3(22) or later

12.1XQ

Vulnerable; migrate to 12.3(22) or later

12.1XT

Vulnerable; migrate to12.3(22) or later

12.1XU

Vulnerable; migrate to12.3(22) or later

12.1YB

Vulnerable; migrate to12.3(22) or later

12.1YC

Vulnerable; migrate to 12.3(22) or later

12.1YD

Vulnerable; migrate to12.3(22) or later

12.1YE

Vulnerable; migrate to 12.3(22) or later

12.1YF

Vulnerable; migrate to 12.3(22) or later

12.1YI

Vulnerable; migrate to12.3(22) or later

Affected 12.2-Based Release

Rebuild

Maintenance

12.2

12.2(40a)

12.2(46)

12.2B

Vulnerable; migrate to 12.4(10) or later

12.2BC

Vulnerable; migrate to 12.3(21)BC or later

12.2BW

Vulnerable; migrate 12.3(22) or later

12.2BY

Vulnerable; migrate to 12.4(10) or later

12.2BZ

Vulnerable; contact TAC

12.2CX

Vulnerable; migrate to 12.3(21)BC or later

12.2CY

Vulnerable; migrate to 12.3(21)BC or later

12.2CZ

Vulnerable; contact TAC

12.2DD

Vulnerable; migrate to 12.4(10) or later

12.2EW

Vulnerable; migrate to 12.2(25)EWA9 or later

12.2EWA

12.2(25)EWA9

 

12.2EX

Vulnerable; migrate to 12.2(25)SEE3 or later

12.2EY

Vulnerable; migrate to 12.2(25)SEE3 or later

12.2EZ

Vulnerable; migrate to 12.2(25)SEE3 or later

12.2FX

Vulnerable; migrate to 12.2(25)SEE3 or later

12.2FY

Vulnerable; migrate to 12.2(25)SEG2 or later

12.2FZ

Vulnerable; migrate to 12.2(35)SE or later

12.2JA

Vulnerable; migrate to 12.3(11)JA or later

12.2JK

Vulnerable; migrate to 12.4(11)T or later

12.2S

12.2(14)S13a

12.2(25)S12

12.2(18)S0a

12.2(20)S9a

12.2SB

12.2(28)SB4b

 

12.2(31)SB2

 

12.2SBC

Vulnerable; migrate to 12.2(31)SB2 or later

12.2SE

 

12.2(35)SE

12.2SEA

Vulnerable; migrate to 12.2(25)SEE3 or later

12.2SEB

Vulnerable; migrate to 12.2(25)SEE3 or later

12.2SEC

Vulnerable; migrate to 12.2(25)SEE3 or later

12.2SED

Vulnerable; migrate to 12.2(25)SEE3 or later

12.2SEE

12.2(25)SEE3

 

12.2SEF

Vulnerable; migrate to 12.2(35)SE or later

12.2SEG

12.2(25)SEG2

 

12.2SG

12.2(37)SG

12.2SGA

12.2(31)SGA2; available 11-June-2007

12.2SRA

12.2(33)SRA2

 

12.2SU

Vulnerable; migrate to 12.4(10) or later

12.2SV

12.2(28)SV2

 

12.2(29)SV3

 

12.2SW

12.2(25)SW9

 

12.2SX

Vulnerable; migrate to 12.2(18)SXE6a or later

12.2SXA

Vulnerable; migrate to 12.2(18)SXE6a or later

12.2SXB

Vulnerable; migrate to 12.2(18)SXE6a or later

12.2SXD

Vulnerable; migrate to 12.2(18)SXE6a

12.2SXE

12.2(18)SXE6a

 

12.2SXF

12.2(18)SXF8

 

12.2SY

Vulnerable; migrate to 12.2(18)SXE6a or later

12.2T

Vulnerable; migrate 12.3(22) or later

12.2TPC

12.2(8)TPC10b

 

12.2XA

Vulnerable; migrate to 12.3(22) or later

12.2XB

Vulnerable; migrate to 12.3(22) or later

12.2XD

Vulnerable; migrate to 12.3(22) or later

12.2XE

Vulnerable; migrate to 12.3(22) or later

12.2XF

Vulnerable; migrate to 12.3(21)BC or later

12.2XG

Vulnerable; migrate to 12.3(22) or later

12.2XH

Vulnerable; migrate to 12.3(22) or later

12.2XI

Vulnerable; migrate to 12.3(22) or later

12.2XJ

Vulnerable; migrate to 12.3(22) or later

12.2 XK

Vulnerable; migrate to 12.3(22) or later

12.2XL

Vulnerable; migrate to 12.3(22) or later

12.2XM

Vulnerable; migrate to 12.3(22) or later

12.2XN

Vulnerable; migrate to 12.3(22) or later

12.2XQ

Vulnerable; migrate to 12.3(22) or later

12.2XR

Vulnerable; migrate to 12.3(22) or later

12.2XS

Vulnerable; migrate to 12.3(22) or later

12.2XT

Vulnerable; migrate to 12.3(22) or later

12.2XU

Vulnerable; migrate to 12.3(22) or later

12.2XV

Vulnerable; migrate to 12.3(22) or later

12.2XW

Vulnerable; migrate to 12.3(22) or later

12.2YA

Vulnerable; migrate to 12.3(22) or later

12.2YB

Vulnerable; migrate to 12.3(22) or later

12.2YC

Vulnerable; migrate to 12.3(22) or later

12.2YD

Vulnerable; migrate to 12.4(10) or later

12.2YE

Vulnerable; migrate to 12.2(25)S12 or later

12.2YF

Vulnerable; migrate to 12.3(22) or later

12.2YJ

Vulnerable; migrate to 12.3(22) or later

12.2YL

Vulnerable; migrate to 12.4(10) or later

12.2YM

Vulnerable; migrate to 12.4(10) or later

12.2YN

Vulnerable; migrate to 12.4(10) or later

12.2YQ

Vulnerable; migrate to 12.4(10) or later

12.2YR

Vulnerable; migrate to 12.4(10) or later

12.2YU

Vulnerable; migrate to 12.4(10) or later

12.2YV

Vulnerable; migrate to 12.4(10) or later

12.2YW

Vulnerable; migrate to 12.4(10) or later

12.2YX

Vulnerable; migrate to 12.4(10) or later

12.2YY

Vulnerable; migrate to 12.4(10) or later

12.2YZ

Vulnerable; contact TAC

12.2ZA

Vulnerable; migrate to 12.2(18)SXE6a or later

12.2ZB

Vulnerable; migrate to 12.4(10) or later

12.2ZD

Vulnerable; contact TAC

12.2ZE

Vulnerable; migrate to 12.3(22) or later

12.2ZF

Vulnerable; migrate to 12.4(10) or later

12.2ZH

Vulnerable; contact TAC

12.2ZJ

Vulnerable; migrate to 12.4(10) or later

12.2ZL

Vulnerable; contact TAC

12.2ZN

Vulnerable; migrate to 12.4(10) or later

12.2ZU

Vulnerable; contact TAC

12.2ZV

Vulnerable; contact TAC

12.2ZW

Vulnerable; contact TAC

12.2ZX

Vulnerable; contact TAC

Affected 12.3-Based Release

Rebuild

Maintenance

12.3

12.3(21a)

12.3(22)

12.3B

Vulnerable; migrate to 12.4(10) or later

12.3BC

12.3(17b)BC5

12.3(21)BC

12.3JA

 

12.3(11)JA

12.3JEA

 

12.3(8)JEA

12.3JK

Vulnerable; contact TAC

12.3JX

Vulnerable; contact TAC

12.3T

Vulnerable; migrate to 12.4(10) or later

12.3TPC

12.2(8)TPC10b

 

12.3XA

Vulnerable; contact TAC

12.3XB

Vulnerable; migrate to 12.4(10) or later

12.3XC

Vulnerable; contact TAC

12.3XD

Vulnerable; migrate to 12.4(10) or later

12.3XE

Vulnerable; contact TAC

12.3XF

Vulnerable; migrate to 12.4(10) or later

12.3XG

Vulnerable; contact TAC

12.3XH

Vulnerable; migrate to 12.4(10) or later

12.3XI

Vulnerable; contact TAC

12.3XJ

Vulnerable; migrate to 12.4(11)T or later

12.3XK

Vulnerable; contact TAC

12.3XQ

Vulnerable; migrate to 12.4(10) or later

12.3XR

Vulnerable; contact TAC

12.3XS

Vulnerable; migrate to 12.4(10) or later

12.3XU

Vulnerable; migrate to 12.4(11)T or later

12.3XW

Vulnerable; migrate to 12.4(11)T or later

12.3XX

12.3(8)XX2d

 

12.3YA

Vulnerable; contact TAC

12.3YD

Vulnerable; migrate to 12.4(11)T or later

12.3YF

Vulnerable; migrate to 12.4(11)T or later

12.3YG

Vulnerable; migrate to 12.4(11)T or later

12.3YH

Vulnerable; migrate to 12.4(11)T or later

12.3YI

Vulnerable; migrate to 12.4(11)T or later

12.3YK

Vulnerable; migrate to 12.4(11)T or later

12.3YQ

Vulnerable; migrate to 12.4(11)T or later

12.3YS

Vulnerable; migrate to 12.4(11)T or later

12.3YT

Vulnerable; migrate to 12.4(11)T or later

12.3YU

Vulnerable; contact TAC

12.3YX

Vulnerable; migrate to 12.4(11)T or later

12.3YZ

Vulnerable; contact TAC

Affected 12.4-Based Release

Rebuild

Maintenance

12.4

12.4(3h)

12.4(10)

12.4(7d)

12.4(8c)

12.4T

12.4(4)T6

12.4(11)T

12.4(6)T7

12.4(9)T3

12.4XA

Vulnerable; migrate to 12.4(11)T or later

12.4XB

Vulnerable; contact TAC

12.4XC

12.4(4)XC4

 

12.4XD

12.4(4)XD5

 

12.4XE

Vulnerable; contact TAC

Workarounds

The only way to prevent a device from being susceptible to the listed vulnerabilities is to disable the affected service(s). However, if regular maintenance and operation of the device relies on these services, there is no workaround.

It is possible to mitigate these vulnerabilities by preventing unauthorized hosts from accessing affected devices. Additional mitigations that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory. This companion document is available at the following link: http://tools.cisco.com/security/center/content/CiscoAppliedMitigationBulletin/cisco-amb-20070522-SSL

Control Plane Policing (CoPP)

Control Plane Policing: IOS software versions that support Control Plane Policing (CoPP) can be configured to help protect the device from attacks that target the management and control planes. CoPP is available in Cisco IOS release trains 12.0S, 12.2SX, 12.2S, 12.3T, 12.4, and 12.4T.

In the following CoPP example, the ACL entries that match the exploit packets with the permit action will be discarded by the policy-map drop function, while packets that match a "deny" action (not shown) are not affected by the policy-map drop function:

! Include deny statements up front for any protocols/ports/IP addresses that 
!-- should not be impacted by CoPP

! Include permit statements for the protocols/ports that will be governed by CoPP
access-list 100 permit tcp any any eq 443

!-- Permit (Police or Drop)/Deny (Allow) all other Layer3 and Layer4
!-- traffic in accordance with existing security policies and
!-- configurations for traffic that is authorized to be sent
!-- to infrastructure devices.
!
!-- Create a Class-Map for traffic to be policed by
!-- the CoPP feature.
!
class-map match-all drop-SSL-class
 match access-group 100

!
!-- Create a Policy-Map that will be applied to the
!-- Control-Plane of the device.
!
policy-map drop-SSL-policy
 class drop-SSL-class
   drop
   
!-- Apply the Policy-Map to the Control-Plane of the
!-- device.
!
control-plane
 service-policy input drop-SSL-policy

Please note that in the 12.0S, 12.2S, and 12.2SX Cisco IOS trains, the policy-map syntax is different, as demonstrated by the following:

policy-map drop-SSL-policy
 class drop-SSL-class
 police 32000 1500 1500 conform-action drop exceed-action drop

NOTE: In the above CoPP example, the ACL entries with the "permit" action that match the exploit packets result in the discarding of those packets by the policy-map drop function, while packets that match the "deny" action are not affected by the policy-map drop function.

Additional information on the configuration and use of the CoPP feature is available at the following links: http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6642/prod_white_paper0900aecd804fa16a.html and http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gtrtlimt.html.

Access Control List (ACL)

An Access Control List (ACL) can be used to help mitigate attacks targeting these vulnerabilities. ACLs can specify that only packets from legitimate sources are permitted to reach a device, and all others are to be dropped. The following example shows how to allow legitimate SSL sessions from trusted sources and deny all other SSL sessions:

access-list 101 permit tcp host <legitimate_host_IP_address> host <router_IP_address> port 443
access-list 101 deny tcp any any port 443

Obtaining Fixed Software

Cisco has made free software available to address this vulnerability for affected customers. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment.

Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/public/sw-license-agreement.html, or as otherwise set forth at Cisco.com Downloads athttp://www.cisco.com/public/sw-center/sw-usingswc.shtml.

Do not contact either "psirt@cisco.com" or "security-alert@cisco.com" for software upgrades.

Customers with Service Contracts

Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com.

Customers using Third Party Support Organizations

Customers whose Cisco products are provided or maintained through prior or existing agreement with third-party support organizations such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory.

The effectiveness of any workaround or fix is dependent on specific customer situations such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed.

Customers without Service Contracts

Customers who purchase direct from Cisco but who do not hold a Cisco service contract and customers who purchase through third-party vendors but are unsuccessful at obtaining fixed software through their point of sale should get their upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows.

  • +1 800 553 2447 (toll free from within North America)
  • +1 408 526 7209 (toll call from anywhere in the world)
  • e-mail: tac@cisco.com

Have your product serial number available and give the URL of this notice as evidence of your entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC.

Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including special localized telephone numbers and instructions and e-mail addresses for use in various languages.

Exploitation and Public Announcements

The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this Advisory.

These vulnerabilities were discovered by Cisco during internal testing.

Status of this Notice: Final

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors.


Distribution

This advisory is posted on Cisco's worldwide website at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20070522-SSL.

In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients.

  • cust-security-announce@cisco.com
  • first-teams@first.org
  • bugtraq@securityfocus.com
  • vulnwatch@vulnwatch.org
  • cisco@spot.colorado.edu
  • cisco-nsp@puck.nether.net
  • full-disclosure@lists.grok.org.uk
  • comp.dcom.sys.cisco@newsgate.cisco.com

Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates.


Revision History

Revision 1.4

2008-June-27

Updated Summary to remove link and verbiage.

Revision 1.3

2007-October-19

Replaced rebuild release for 12.4 from 12.4(3)g to 12.4(3h).

Revision 1.2

2007-June-27

The first fixed release for 12.2SXF changed from 12.2(18)SXF7 to 12.2(18)SXF8.

Revision 1.1

2007-May-25

Updated fixed IOS releases.

Revision 1.0

2007-May-22

Initial public release.

Cisco Security Procedures

Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt.