AV:N/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C
-
Three Secure Shell (SSH) vulnerabilities exist in the Cisco Service Control Engine (SCE) that may result in system instability or a reload of the SCE. The first vulnerability may be triggered during SSH login activity that is conducted within aggressive time frames. The second vulnerability may be triggered with normal SSH login activity in combination with other SCE management actions occurring simultaneously. The third vulnerability may be triggered during SSH login and is specific to the usage of unique invalid authentication credentials.
Cisco has made free upgrade software available to address these vulnerabilities for affected customers. There are no workarounds for these vulnerabilities.
Note: These vulnerabilities are independent of each other; a device may be affected by one vulnerability and not by the others.
This advisory is posted at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20080521-sce.
-
Vulnerable Products
The SCE 1000 and 2000 series devices are affected by the following vulnerabilities if the SSH server on the SCE is enabled:
-
System vulnerability to SSH login activity - affects SCE software
versions prior to 3.1.6.
-
SSH login activity leads to illegal Input/Output operations - affects
SCE software versions prior to 3.0.7 and 3.1.0.
-
SCE SSH authentication sequence anomaly - affects SCE software
versions prior to 3.1.6.
Note: The SCE SSH server is disabled by default.
To determine whether you are running a vulnerable version of Cisco Service Control Operating System (SCOS) software, issue the "Show Version" command-line interface (CLI) command. The following example shows a Cisco SCE that runs software release 3.1.6:
SCE2000#>show version System version: Version 3.1.6 Build 157 Build time: Mar 31 2008, 18:58:49 (Change-list 303626) Software version is: Version 3.1.6 Build 157
Products Confirmed Not Vulnerable
No other Cisco products are currently known to be affected by these vulnerabilities.
-
System vulnerability to SSH login activity - affects SCE software
versions prior to 3.1.6.
-
Cisco SCE 1000 and 2000 series devices provide high-capacity advanced application-level bandwidth optimization, stateful application inspection, session-based classification and control of network traffic. The SCE solution allows for the detection and control of network applications including: web browsing, multimedia streaming, and peer-to-peer (P2P).
This Security Advisory describes multiple distinct vulnerabilities. These vulnerabilities are independent of each other.
-
System vulnerability to SSH login activity
A vulnerability impacting the SCE SSH server may be triggered during SSH login activity, resulting in system instability or a reload of the SCE. Specific SSH processes may encounter temporary resource unavailability if called within aggressive intervals.
This vulnerability is documented in Cisco Bug ID CSCsi68582 ( registered customers only) and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2008-0534.
-
SSH login activity leads to illegal Input/Output operations
A second vulnerability exists in the SCE SSH server that may be triggered with normal SSH traffic to the SCE management interface occurring in conjunction with other management tasks. During this event, an illegal IO operation may impact the SCE management agent, requiring a reboot of the SCE to recover management access.
This vulnerability is documented in Cisco Bug ID CSCsh49563 ( registered customers only) and has been assigned CVE ID CVE-2008-0536.
-
SCE SSH authentication sequence anomaly
A third vulnerability exists in the SCE SSH server that may also be triggered during the SSH login process but unrelated to login attempt frequency or other concurrent management tasks. This issue is triggered by the usage of specific SSH credentials that attempt to change the authentication method, resulting in an authentication sequence anomaly impacting system stability.
This vulnerability is documented in Cisco Bug ID CSCsm14239 ( registered customers only) and has been assigned CVE ID CVE-2008-0535.
-
System vulnerability to SSH login activity
-
There are no workarounds for these vulnerabilities.
Filtering SSH traffic with Access Control Lists (ACLs) to affected SCE devices on the SCE management interface or on screening devices can provide a mitigation technique for these vulnerabilities. Restricting SCE SSH management interface access to only trusted devices through the use of SCE ACLs or Transit ACLs is strongly recommended.
Additional information about SCE ACLs is available in the "Configuring the Management Interface and Security" section of the SCE Software Configuration Guide: http://www.cisco.com/en/US/products/ps6134/products_configuration_guide_chapter09186a00808498b9.html#wp1060396
Additional information about tACLs is available in Transit Access Control Lists: Filtering at Your Edge: http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801afc76.shtml
-
When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance.
The following list contains the first fixed software release for each vulnerability:
Vulnerability
Affected Major Release
First Fixed Release
System vulnerability to SSH login activity
1.x
3.1.6
2.x
3.1.6
3.x
3.1.6
SSH login activity leads to illegal IO operations
1.x
3.0.7
2.x
3.0.7
3.x
3.0.7, 3.1.0
SCE SSH authentication sequence anomaly
1.x
3.1.6
2.x
3.1.6
3.x
3.1.6
SCOS software version 3.1.6 contains the fixes for all vulnerabilities described in this document.
SCOS software is available for download from the following location on cisco.com:
-
SCOS 3.1.6
(
registered customers only)
-
SCOS 3.1.6
(
registered customers only)
-
The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory.
The SSH login activity vulnerability was discovered during the resolution of customer support cases.
The illegal Input/Output operation and authentication sequence anomaly were discovered by Cisco during internal testing.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Revision 1.0
2008-May-21
Initial public release.
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.