Guest

Cisco Services Modules

Field Notice: FN - 62206 - Software for the SSL Module for Catalyst 6500 Deferred


October 21, 2005


NOTICE:

THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.

Products Affected

Product

Comments

SSL M -

Running software versions prior to 2.1(7)

Problem Description

Cisco IOS® software on the SSLM will allow users to enable PMTU discovery. The Cisco IOS software on the Cisco SSL Module for the Catalyst 6500 is vulnerable to the ICMP Software Security Advisory. Software versions earlier than version 2.1(7) are being deffered due to a Severity 2 defect CSCed78149. Refer to the Crafted ICMP Messages Can Cause Denial of Service Security Advisory.

Deferral Advisory Notice:

Dear Cisco Customer, Cisco engineering has identified at least one serious issue with the software you have selected. The issue(s) may affect your use of this software. Please review the Deferral notice above to determine if the issue(s) apply to your network. The affected software versions will be removed from CCO.

Background

SSL M software versions earlier than 2.1(7) are subject to the Security Advisory.

Problem Symptoms

The following message will be displayed with the debug ip tcp transactions command in response to an ICMP packet with embedded TCP sequence number of 2863311530.

# 
*Jun 20 10:26:22: ICMP: dst (17.0.0.55) frag. needed and DF set unreachable rcv 
from 17.0.0.44 
*Jun 20 10:26:22: TCP2: ICMP destination unreachable received with bad sequence 
number 2863311530, mtu 100

Workaround/Solution

The only workaround/solution is to upgrade to the 2.1(7) code available on the Cisco Catalyst 6000 SSL 3DES Cryptographic Software (registered customers only) page.

DDTS

To follow the bug ID link below and see detailed bug information, you must be a registered user and you must be logged in.

DDTS

Description

CSCed78149 (registered customers only)

TCP connections doing PMTU discovery vulnerable to spoofed ICMP pkts

For More Information

If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:

Receive Email Notification For New Field Notices

Product Alert Tool - Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.