Table Of Contents
Security Advisory for OpenSSL Vulnerability in Cisco MDS 9000 Family Switches
CCO Date: May 14, 2007
Text Part Number: OL-5831-01
This document describes the OpenSSL vulnerability in the Cisco MDS 9000 Family switches and it provides recommendations to work around these issues.
The Cisco MDS 9000 Family of multilayer directors and fabric switches offer intelligent fabric-switching services that realize maximum performance while ensuring high reliability levels. They combine robust and flexible hardware architecture with multiple layers of network and storage management intelligence. This powerful combination enables highly available, scalable storage networks that provide advanced security and unified management features.
The Cisco MDS 9000 Family provides intelligent networking features such as multiprotocol and multitransport integration, virtual SANs (VSANs), advanced security, sophisticated debug analysis tools, and unified SAN management.
Testing performed by the OpenSSL group using the Codenomicon TLS Test Tool uncovered a null-pointer assignment in the do_change_cipher_spec() function. A remote attacker could perform a carefully crafted Secure Sockets Layer/Transport Layer Security (SSL/TSL) protocol handshake against a server that uses an OpenSSL library and could cause OpenSSL to stop responding.
Impact on the Cisco MDS 9000 Family
The HTTPS server uses OpenSSL for security services for Cisco MDS 9000 Family switches. Specifically, the HTTPS server provides authentication, data integrity, and confidentiality for the Storage Management Initiative specification (SMI-S). SMI-S enables storage area network (SAN) management clients to link to Common Information Model (CIM) servers and manages a large number of storage resources with a unified interface. The SMI-S interface is configured and managed through the MDS 9000 switches.
A user with malicious intent can create a denial-of-service (DoS) attack on the Cisco MDS 9000 Ethernet management port by sending synthetic messages. This vulnerability can be exploited to launch a DoS attack on the switch's control plane, hosted on the supervisor module. As a result of the DoS attack, the HTTPS server stops responding to SMI-S requests. It does not impact the existing data flows. The stateful process restart feature in Cisco MDS 9000 Family switches detects a HTTPS server failure and restarts the HTTPS server.
Note The OpenSSL vulnerability only exists on Cisco MDS 9000 switches running SAN-OS software Releases 1.3(1), 1.3(2a), and 1.3(3).
Solution and Recommendations
The OpenSSL vulnerability will be fixed in Cisco MDS SAN-OS Release 1.3(4).
We recommend the following workarounds for customers using Cisco MDS SAN-OS Releases: 1.3(1), 1.3(2a), and 1.3(3):
•Do not enable the SMI-S functionality if you do not need it to manage a Cisco MDS 9000 Family switch. By default, SMI-S is disabled in all switches in the Cisco MDS 9000 Family.
To disable SMI-S, refer to the "Disabling CIM Support for the Cisco MDS 9000 Family" section in the Cisco MDS 9000 Family SMI-S Programming Reference Guide:
•As a best practice, configure IP ACLs on Cisco MDS 9000 Family switches. This feature only allows trusted management entities to configure and manage Cisco MDS 9000 switches.
To configure IP ACLs, refer to the "Configuring IP Services" section in the Cisco MDS 9000 Family Configuration Guide for SAN-OS Release 1.3x: http://www.cisco.com/en/US/products/ps5989/products_configuration_guide_book09186a008021a376.html
•As a best practice, deploy switches in the Cisco MDS 9000 Family in environments that are protected by firewall services. Configure the firewall to only allow trusted management entities.
CCIP, CCSP, the Cisco Arrow logo, the Cisco Powered Network mark, Cisco Unity, Follow Me Browsing, FormShare, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Empowering the Internet Generation, Enterprise/Solver, EtherChannel, EtherSwitch, Fast Step, GigaStack, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, LightStream, MGX, MICA, the Networkers logo, Networking Academy, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, RateMUX, Registrar, ScriptShare, SlideCast, SMARTnet, StrataView Plus, Stratm, SwitchProbe, TeleRouter, The Fastest Way to Increase Your Internet Quotient, TransPath, and VCO are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain other countries.
All other trademarks mentioned in this document or Web site are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0402R)