Advisory ID: cisco-sa-20091109-tls
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20091109-tls
Revision 1.15
Last Updated 2011 October 20 15:47 UTC (GMT)
For Public Release 2009 November 9 13:00 UTC (GMT)
Contents
Summary
Affected Products
Details
Vulnerability Scoring Details
Impact
Software Versions and Fixes
Workarounds
Obtaining Fixed Software
Exploitation and Public Announcements
Status of this Notice: Final
Distribution
Revision History
Cisco Security Procedures
Summary
An industry-wide vulnerability exists in the Transport Layer Security (TLS) protocol that could impact any Cisco product that uses any version of TLS and SSL. The vulnerability exists in how the protocol handles session renegotiation and exposes users to a potential man-in-the-middle attack.
This advisory is posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20091109-tls.
Affected Products
Cisco is currently evaluating products for possible exposure to these TLS issues. Products will only be listed in the Vulnerable Products or Products Confirmed Not Vulnerable sections of this advisory when a final determination about product exposure is made. Products that are not listed in either of these two sections are still being evaluated.
Vulnerable Products
This section will be updated when more information is available. The following products are confirmed to be vulnerable:
- Cisco Internet Streamer CDS
- Cisco ACE 4700 Series Application Control Engine Appliances
- Cisco ACE Application Control Engine Module
- Cisco ACE GSS 4400 Series Global Site Selector Appliances
- Cisco ACE Web Application Firewall
- Cisco Wireless Control System
- Cisco Wireless LAN Controller (WLC)
Note:Â Extensible Authentication Protocol Transport Layer Security (EAP-TLS) and Protected Extensible Authentication Protocol (PEAP) are not affected by this vulnerability. - Cisco Wireless Location Appliance
- CiscoWorks Wireless LAN Solution Engine (WLSE)
- Cisco Digital Media Player
- Cisco Digital Media Manager
- Cisco Access Control Server (ACS)
- CiscoWorks Common Services
- Cisco Telepresence Recording Server
- Cisco NX-OS Software
- Cisco Video Surveillance Operations Manager Software
- Cisco Video Surveillance Media Server Software
- Cisco ASA 5500 Series Adaptive Security Appliances
- Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module (FWSM)
- Cisco AVS 3120 and 3180 Series Application Velocity System
- Cisco CSS 11500 Series Content Services Switches
The CSS 11500 Series Content Services Switches are affected by this vulnerability with default configurations. However, the client authentication feature can be enabled as mitigation/solution.
To enable or disable client authentication on a virtual SSL server, use the ssl-server <number> authentication command under the ssl-proxy-list.
Note:Â By default, client authentication is disabled. After you enable client authentication on the CSS, you must specify a CA certificate that the CSS uses to verify client certificates. - Cisco Content Switching Module (CSM)
- Cisco Wide Area Application Services (WAAS)
- Cisco Application Networking Manager (ANM)
- Cisco Unified IP Phones
- Cisco ONS 15500 Series
- Cisco Unified Contact Center Products
- Cisco Security Agent (CSA)
- Cisco IP Communicator
- Cisco Network Registrar
- Cisco Unified Communications Manager (CallManager)
- Cisco Network Analysis Module Software (NAM)
- Cisco IronPort's Email Security Appliance (X-Series & C-Series)
- Cisco Spam & Virus Blocker (B-Series)
- Cisco IronPort's Web Security Appliance (S-Series)
- Cisco IronPort's Security Management Appliance (M-Series)
- Cisco IronPort's Encryption Appliance (IEA)
- Cisco Catalyst 6500 series SSL Services Module
- Cisco Pix
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_eol_notices_list.html .
Products Confirmed Not Vulnerable
The following products are confirmed not vulnerable:
- Cisco AnyConnect VPN Client
- Cisco Unified MeetingPlace
- Cisco Data Center Network Manager
- Cisco Service Control Subscriber Manager
- Cisco Secure Desktop (CSD)
- Cisco ASA Advanced Inspection and Prevention (AIP) Security Services Module
- Cisco Transport Manager (CTM)
- Cisco IOS SSL VPN
- Cisco IOS HTTP Secure Server
- Cisco Intrusion Prevention System (CIDS/IPS)
This section will be updated when more information is available.
Details
TLS and its predecessor, SSL, are cryptographic protocols that provide security for communications over IP data networks such as the Internet. An industry-wide vulnerability exists in the TLS protocol that could impact any Cisco product that uses any version of TLS and SSL. The vulnerability exists in how the protocol handles session renegotiation and exposes users to a potential man-in-the-middle attack.
Note: Extensible Authentication Protocol Transport Layer Security (EAP-TLS) and Protected Extensible Authentication Protocol (PEAP) are not affected by this vulnerability.
The following Cisco Bug IDs are being used to track potential exposure to the SSL and TLS issues. The bugs listed below do not confirm that a product is vulnerable, but rather that the product is under investigation by the appropriate product teams.
Registered Cisco customers can view these bugs via Cisco's Bug Toolkit: http://www.cisco.com/pcgi-bin/Support/Bugtool/launch_bugtool.pl
|
Product |
Bug ID |
|---|---|
|
Cisco ACE 4700 Series Application Control Engine Appliances |
|
|
Cisco ACE Application Control Engine Module |
|
|
Cisco ACE GSS 4400 Series Global Site Selector Appliances |
|
|
Cisco ACE Web Application Firewall |
|
|
Cisco Adaptive Security Device Manager (ASDM) |
|
|
Cisco AON Software |
|
|
Cisco AON Healthcare for HIPAA and ePrescription |
|
|
Cisco Application and Content Networking System (ACNS) Software |
|
|
Cisco Application Networking Manager |
|
|
Cisco ASA 5500 Series Adaptive Security Appliances |
|
|
Cisco ASA Advanced Inspection and Prevention (AIP) Security Services Module |
|
|
Cisco AVS 3100 Series Application Velocity System |
|
|
Cisco Catalyst 6500 Series SSL Services Module |
|
|
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module (FWSM) |
|
|
Cisco CSS 11000 Series Content Services Switches |
|
|
Cisco Unified SIP Phones |
|
|
Cisco Data Mobility Manager |
|
|
Cisco Digital Media Manager |
|
|
Cisco Digital Media Players |
|
|
Cisco Emergency Responder |
|
|
Cisco Internet Streamer CDS |
|
|
Cisco IOS Software |
|
|
Cisco IOS XE Software |
|
|
Cisco IOS XR Software |
|
|
Cisco IP Communicator |
|
|
CATOS |
|
|
Cisco IronPort Appliances |
|
|
Cisco NAC Appliance (Clean Access) |
|
|
Cisco NAC Guest Server |
|
|
Cisco NAC Profiler |
|
|
Cisco Network Analysis Module Software (NAM) |
|
|
Cisco Network Registrar |
|
|
Cisco ONS 15500 Series |
|
|
Cisco Physical Access Gateways |
|
|
Cisco Physical Access Manager |
|
|
Cisco QoS Device Manager |
|
|
Cisco Secure Access Control Server (ACS) |
CSCtd00725 and CSCtd69422 |
|
Cisco Secure Desktop |
|
|
Cisco Secure Services Client |
|
|
Cisco Security Agent CSA |
|
|
Cisco Security Monitoring, Analysis and Response System (MARS) |
|
|
Cisco Unified IP Phones |
|
|
Cisco TelePresence Manager |
|
|
Telepresence for Consumer |
|
|
Cisco TelePresence Recording Server |
|
|
Cisco Network Asset Collector |
CSCtd04198 and CSCtd37007 |
|
Cisco Unified Communications Manager (CallManager) |
|
|
Cisco Unified Business Attendant Console |
|
|
Cisco Unified Contact Center Enterprise |
|
|
Cisco Unified Contact Center Express |
|
|
Cisco Unified Contact Center Management Portal |
|
|
Cisco Unified Contact Center Products |
|
|
Cisco Unified Department Attendant Console |
|
|
Cisco Unified E-Mail Interaction Manager |
|
|
Cisco Unified Enterprise Attendant Console |
|
|
Cisco Unified Mobility |
|
|
Cisco Unified Mobility Advantage |
|
|
Cisco Unified Operations Manager |
|
|
Cisco Unified Personal Communicator |
|
|
Cisco Unified Presence |
CSCtd05791 and CSCte81278 |
|
Cisco Unified Provisioning Manager |
|
|
Cisco Unified Quick Connect |
|
|
Cisco Unified Service Monitor |
|
|
Cisco Unified Service Statistics Manager |
|
|
Cisco Unified SIP Proxy |
|
|
Cisco Unity |
|
|
Cisco NX-OS Software |
CSCtd00699 and CSCtd00703 |
|
Cisco Video Portal |
|
|
Cisco Video Surveillance Media Server Software |
|
|
Cisco Video Surveillance Operations Manager Software |
|
|
Cisco Wide Area Application Services (WAAS) |
|
|
Cisco Wireless Control System |
|
|
Cisco Wireless LAN Controller (WLAN) |
|
|
Cisco Wireless Location Appliance |
|
|
CiscoWorks Common Services Software |
|
|
CiscoWorks Wireless LAN Solution Engine (WLSE) |
|
|
Linksys Routers |
Not viewable in Bug Toolkit |
|
WebEx Connect |
Not viewable in Bug Toolkit |
|
WebEx Event Center |
Not viewable in Bug Toolkit |
|
WebEx Meeting Center |
Not viewable in Bug Toolkit |
|
WebEx Meet Me Now (MMN) |
Not viewable in Bug Toolkit |
|
WebEx PCNow (PCN) |
Not viewable in Bug Toolkit |
|
WebEx Sales Center |
Not viewable in Bug Toolkit |
|
WebEx Support Center |
Not viewable in Bug Toolkit |
|
WebEx Training Center |
Not viewable in Bug Toolkit |
This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2009-3555.
Vulnerability Scoring Details
Cisco has provided scores for the vulnerability in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding CVSS at
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html .
Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss .
|
TLS Renegotiation VulnerabilityCalculate the environmental score of All Cisco Bug IDs |
||||||
|---|---|---|---|---|---|---|
|
CVSS Base Score - 4.3 |
||||||
|
Access Vector |
Access Complexity |
Authentication |
Confidentiality Impact |
Integrity Impact |
Availability Impact |
|
|
Network |
Medium |
None |
None |
Partial |
None |
|
|
CVSS Temporal Score - 4.1 |
||||||
|
Exploitability |
Remediation Level |
Report Confidence |
||||
|
Functional |
Unavailable |
Confirmed |
||||
Impact
A protocol-level design flaw in the TLS specification allows an attacker to perform a man-in-the-middle (MITM) attack on sessions protected by Transport Layer Security (TLS) and Secure Sockets Layer (SSL). Successful exploitation could allow an attacker to inject data into a legitimate SSL/TLS-protected session and trigger a renegotiation. This may allow the attacker to execute operations on the server using the client's credentials but does not allow the attacker to read, decrypt, or alter encrypted traffic between client and server. While the vulnerability exists within the TLS protocol, the impact of an attack depends on the application protocol running over TLS.
Software Versions and Fixes
This section will be updated to include fixed software versions for affected Cisco products as they become available.
When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance.
Each row of the software table below lists a product that has been patched to disable SSL/TLS renegotiation and the version(s) of software which contains the fix. A device running a release that is earlier than the release in a specific column (less than the First Fixed in Release) is known to be vulnerable. The release should be upgraded at least to the indicated release or a later version.
|
Product |
First Fixed Releases |
|---|---|
|
Cisco ASA 5500 Series Adaptive Security Appliances |
8.0(5.6) 8.1(2.39) 8.2(1.16) 8.3(0.08) 7.2(4.44) |
|
Cisco ACE 4700 Series Application Control Engine Appliances |
3.0(0)A3(2.4.61) |
|
Cisco ACE Application Control Engine Module |
3.0(0)A2(2.2.28) 3.0(0)A2(2.3) |
|
Cisco Application and Content Networking System (ACNS) Software |
5.5.17 |
|
Cisco Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module (FWSM) |
3.1(17) 3.2(15) 4.0(9) 4.1(1) |
|
Cisco Internet Streamer CDS |
2.6.0 |
|
Cisco Ironport's Email Security Appliance (X-series and C-series) |
7.0.1 and above |
|
Cisco Ironport's Web Security Appliance (S-series) |
6.3.3 and above |
|
Cisco Mobile Wireless Transport Manager (MWTM) |
6.1(2) |
|
Cisco Network Analysis Module Software (NAM) |
4.1(1-patch2) |
|
Cisco Network Collector |
6.1 |
|
Cisco NX-OS Software (Nexus 5000) |
4.1(3)N2(1a) |
|
Cisco NX-OS Software (Nexus 7000) |
4.2(3) 5.0 |
|
Cisco Security Agent CSA |
6.0(1.126) 6.0(2.099) |
|
Cisco Unified Communications Manager (CallManager) |
6.1(5) 8.0(0.98000.106) |
|
Cisco Unified Computing System Blade-Server |
4.0(1a)N2(1.2h) 4.0(1a)N2(1.2j) |
|
Cisco Unified IP Phones |
RT: Release 9.0.3 TNP: Release 9.0.2 |
|
Cisco Unified Intelligent Contact Management Enterprise |
7.5(8) 8.0(1) |
|
Cisco Unity Connection |
8.0(1) |
|
Cisco Wide Area Application Services (WAAS) |
4.1.7 4.2.1 |
|
Cisco Wireless LAN Controller (WLAN) |
6.0(196.000) |
|
Cisco Video Surveillance Media Server Software |
4.2.1/6.2.1 |
Fixed Cisco ASA software can be downloaded from: http://www.cisco.com/pcgi-bin/tablebuild.pl/ASAPSIRT
All other fixed software can be downloaded from: http://www.cisco.com/cisco/psn/web/download/index.html
Workarounds
There are no known workarounds.
Obtaining Fixed Software
Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html , or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml .
Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades.
Customers with Service Contracts
Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com.
Customers using Third Party Support Organizations
Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed.
Customers without Service Contracts
Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows.
- +1 800 553 2447 (toll free from within North America)
- +1 408 526 7209 (toll call from anywhere in the world)
- e-mail: tac@cisco.com
Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC.
Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages.
Exploitation and Public Announcements
This vulnerability was initially discovered by Marsh Ray and Steve Dispensa from PhoneFactor, Inc.
Cisco is not aware of any malicious exploitation of this vulnerability.
Proof-of-concept exploit code has been published for this vulnerability.
Status of this Notice: Final
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. CISCO EXPECTS TO UPDATE THIS DOCUMENT AS NEW INFORMATION BECOMES AVAILABLE.
A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors.
Distribution
This advisory is posted on Cisco's worldwide website at :
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20091109-tls
In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients.
- cust-security-announce@cisco.com
- first-bulletins@lists.first.org
- bugtraq@securityfocus.com
- vulnwatch@vulnwatch.org
- cisco@spot.colorado.edu
- cisco-nsp@puck.nether.net
- full-disclosure@lists.grok.org.uk
- comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates.
Revision History
|
Revision 1.15 |
2011-October-20 |
Updated Vulnerable Products and Products Confirmed Not Vulnerable |
|
Revision 1.14 |
2010-July-22 |
Updated Vulnerable Products |
|
Revision 1.13 |
2010-March-29 |
Updated Fixed Software Versions for CUCM |
|
Revision 1.12 |
2010-March-10 |
Updated Fixed Software Versions for WAAS and WLC |
|
Revision 1.11 |
2010-March-03 |
IOS HTTP Secure Secure added to Products confirmed not vulnerable |
|
Revision 1.10 |
2010-February-26 |
Updated Fixed Software |
|
Revision 1.9 |
2010-February-05 |
Updated Affected Products and Details Sections |
|
Revision 1.8 |
2010-January-21 |
Updated Software Fixes Table and Products Confirmed Not Vulnerable |
|
Revision 1.7 |
2010-January-04 |
Affected Products Update. |
|
Revision 1.6 |
2009-December-18 |
Affected Products and Details Updates. |
|
Revision 1.5 |
2009-December-14 |
EAP-TLS and PEAP not vulnerable. |
|
Revision 1.4 |
2009-December-4 |
Details and Impact update. |
|
Revision 1.3 |
2009-December-3 |
Affected products update. |
|
Revision 1.2 |
2009-November-18 |
Affected products update. |
|
Revision 1.1 |
2009-November-16 |
Affected products update. |
|
Revision 1.0 |
2009-November-9 |
Initial public release. |
Â
Cisco Security Procedures
Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt.