A vulnerability in the SSL/TLS functions of the Cisco ACE30 Application Control Engine Module and the Cisco ACE 4700 Series Application Control Engine Appliances could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on the affected device.
The vulnerability is due to incomplete input validation checks in the SSL/TLS code. An attacker could exploit this vulnerability by sending specific SSL/TLS packets to the affected device. An exploit could allow the attacker to trigger a reload of the affected device.
Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
This advisory is available at the following link:
Vulnerable ProductsThis vulnerability affects all software versions running on the Cisco ACE30 Application Control Engine Module and Cisco ACE 4710 Application Control Engine prior to A5(3.5).
Products Confirmed Not VulnerableNo other Cisco products are currently known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect the following Cisco products:
- Cisco ACE XML Gateway
- Cisco ACE Web Application Firewall
- Cisco ACE GSS 4400 Series Global Site Selector Appliances
- Cisco ACE10 Application Control Engine Module
- Cisco ACE20 Application Control Engine Module
The Cisco ACE 4710 Application Control Engine appliance and the Cisco ACE30 Application Control Engine Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers are a load-balancing and application-delivery solution for data centers.
These products entered end-of-life cycle on July 26, 2013. For reference please see End-of-Sale and End-of-Life Announcement for the Cisco ACE Application Control Engine ACE30 Module and End-of-Sale and End-of-Life Announcement for the Cisco ACE 4710 Application Control Engine Hardware.
The vulnerability is triggered by specific SSL/TLS protocol packets. This vulnerability affects all ACE30 and ACE 4710 devices with SSL Termination, SSL End-to-End, or SSL Initiation configurations.
Exploitation of this vulnerability could cause an affected device to reload and generate a Network Process (NP) core file. To view the core file, administrators can issue the dir core: command in the ACE command-line interface (CLI).
The following system log messages may be observed when the ACE reloads:
%ACE-6-199008: DC controller:Ch1 asserts back pressure” and %ACE-2-199006: Orderly reload started at <date/time> by System. Reload reason: DC Counter exceeds threshold : DC0_COUNTER = 1 | DC1_COUNTER = 0#012#012.”
There are no workarounds that address this vulnerability.
Cisco will release free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html.
Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized re-seller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades.
When considering software upgrades, customers are advised to consult the Cisco Security Advisories and Responses archive at http://www.cisco.com/go/psirt and review subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to upgrade contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco Technical Assistance Center (TAC): http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html.
Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade.
Cisco ACE Major Release First Fixed Release A1(x) Affected; Migrate to A5(3.5) A3(x) Affected; Migrate to A5(3.5)
A4(x) Affected; Migrate to A5(3.5)
The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.
Cisco PSIRT has observed impact to customers due to an Internet research project that was scanning SSL/TLS servers that had the consequence of triggering the vulnerability on the Cisco ACE30 and Cisco ACE 4710.
This vulnerability was discovered as part of handling customer support requests.
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
Version Description Section Status Date 1.2 Updated the summary and replaced A5(x) with A5(3.5) in the Fixed Software table. Summary and Fixed Software Interim 2016-October-26 1.1 Updated the first fixed available software details. Summary, Vulnerable Products and Fixed Software Interim 2016-September-14 1.0 Initial public release. — Interim 2016-September-08
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. CISCO EXPECTS TO UPDATE THIS DOCUMENT AS NEW INFORMATION BECOMES AVAILABLE.
A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products.