Cisco Security Advisory-
Cisco CSS 11500 Series Content Services Switches (CSS) configured with Secure Socket Layer (SSL) termination services are vulnerable to a Denial of Service (DoS) attack when processing malformed client certificates. Cisco has made free software available to address this vulnerability. There are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20051019-css.
-
This section provides details on affected products.
Vulnerable Products
Cisco CSS 11500 Series Content Services Switches running the following versions of the Cisco WebNS operating system:
-
7.1
-
7.2
-
7.3
-
7.4
-
7.5
The version of Cisco WebNS running on a CSS can be determined by running the following command:
# show version
Products Confirmed Not Vulnerable
Cisco CSS 11000 Series Content Services Switches
No other Cisco products are currently known to be affected by these vulnerabilities.
-
7.1
-
The Cisco CSS 11500 Content Service Switch is load balancing device designed to provide robust, scalable network services (Layer 4-7) for data centers. The Cisco CSS 11500 performs an analysis of protocol headers and directs requests to an appropriate resource based on configurable policies. With integrated SSL modules, a Cisco CSS 11500 can simplify the management of digital cerfiticates and provide SSL acceleration services to optimize performance.
A Cisco CSS 11500 may reload due to a memory corruption issue when presented with a malformed digital client certificate during the negotiation of a SSL session. This condition is present even if the CSS did not request a client certificate during SSL session negotiations. This vulnerability is only present if a CSS is configured to support SSL termination services. SSL termination services are not configured by default.
Users can determine if SSL termination services are configured on a CSS by performing the following steps.
-
View the current running configuration:
# show running-config
-
In the Services section of the configuration, users can find enabled
SSL termination services. An example of an enabled SSL termination service
called ssl-serv1 will look similar to the following. The
type command with the option
ssl-accel or ssl-accel-backend indicates that
the service is associated with a SSL module, and the
active command signifies that a SSL termination
service is enabled.
service ssl-serv1 type ssl-accel slot 3 keepalive type none add ssl-proxy-list ssl list1 active
The vulnerability is documented in the following Cisco Bug ID:
-
CSCee64771
(
registered customers only)
-- CSS running SSL may crash
with malformed client certificates
-
View the current running configuration:
-
The effectiveness of any workaround is dependent on specific customer situations such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround is the most appropriate for use in the intended network before it is deployed.
If upgrading to a fixed version of Cisco WebNS software is not possible, the following workarounds are available.
-
Disable SSL termination for network services if not needed.
In service configuration mode, a user can disable a SSL service using the following commands. ssl-serv1 is the name of a user defined SSL service.
Documentation for configuring SSL services on a CSS running Cisco WebNS 7.40 can be found at http://www.cisco.com/en/US/products/hw/contnetw/ps792/products_configuration_guide_book09186a008027ab4e.html.(config)# no service ssl-serv1 Delete service <ssl>, [y/n]:y
Documentation for configuring SSL services on a CSS running Cisco WebNS 7.50 can be found at http://www.cisco.com/en/US/products/hw/contnetw/ps792/products_configuration_guide_book09186a0080405453.html.
-
Use Access Control Lists (ACL) on a CSS or network device in front of
a CSS to restrict access to SSL terminated services to trusted networks.
Documentation for configuring an ACL on a CSS running Cisco WebNS 7.40 can be found at http://www.cisco.com/en/US/products/hw/contnetw/ps792/products_configuration_guide_chapter09186a008029b1db.html#wp1133930.
Documentation for configuring an ACL on a CSS running Cisco WebNS 7.50 can be found at http://www.cisco.com/en/US/products/hw/contnetw/ps792/products_configuration_guide_chapter09186a008040aeb9.html#wp1133930.
-
Disable SSL termination for network services if not needed.
-
When considering software upgrades, consult http://www.cisco.com/en/US/products/products_security_advisories_listing.html and any subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center ("TAC") for assistance.
Train
Fixed Releases
7.3
7.30.4.02 and later
7.4
7.40.2.02 and later
7.5
7.50.1.03 and later
Customers running Cisco WebNS 7.10 and 7.20 are encouraged to upgrade CSS platforms to a fixed version of Cisco WebNS 7.30 or greater. Fixed software may be obtained by registered users at http://www.cisco.com/pcgi-bin/tablebuild.pl/css11500-maint?psrtdcat20e2.
-
The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Revision 1.1
2005-October-19
Added direct links to fixed software in Software Versions and Fixes table.
Revision 1.0
2005-October-19
Initial public release.
Show Less
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.