Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2006.0822 -- [Cisco]
Vulnerabilities in OpenSSL Library Affect Multiple Cisco Products
10 November 2006
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Cisco Global Site Selector (GSS 4480, 4490, 4491, 4492)
Cisco MDS 9500 Multilayer Director
Cisco IDS
Cisco ONS
Cisco Access Registrar
Cisco Secure ACS
Cisco Security Agent
Cisco Call Manager
Cisco Unified Presence Server
Cisco Security MARS
Cisco CSS 11500 Series Content Services Switches
Cisco Wireless LAN Controller
Cisco Application and Content Networking System (ACNS)
Cisco Wide Area File Services Software (WAFS)
Cisco Wide Area Application Services (WAAS)
Cisco SIP Proxy Server
CiscoWorks Common Services
CiscoWorks Common Management Foundation
Publisher: Cisco Systems
Operating System: Cisco
Windows
Impact: Execute Arbitrary Code/Commands
Denial of Service
Provide Misleading Information
Access: Remote/Unauthenticated
CVE Names: CVE-2006-4343 CVE-2006-4339 CVE-2006-3738
CVE-2006-2940 CVE-2006-2937
Ref: AL-2006.0084
AL-2006.0074
Original Bulletin:
http://www.cisco.com/warp/public/707/cisco-sr-20061108-openssl.shtml
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Response: Multiple Vulnerabilities in OpenSSL library
http://www.cisco.com/warp/public/707/cisco-sr-20061108-openssl.shtml
Revision 1.0
For Public Release 2006 November 08 1600 UTC (GMT)
- - ---------------------------------------------------------------------
Cisco Response
==============
This is the Cisco PSIRT response to the multiple security advisories
published by The OpenSSL Project. The vulnerabilities are as follows:
* RSA Signature Forgery (CVE-2006-4339), described in
http://www.openssl.org/news/secadv_20060905.txt
* ASN.1 Denial of Service Attacks (CVE-2006-2937, CVE-2006-2940),
described in http://www.openssl.org/news/secadv_20060928.txt
* SSL_get_shared_ciphers() buffer overflow (CVE-2006-3738), also in
http://www.openssl.org/news/secadv_20060928.txt leavingcisco.com
* SSLv2 Client Crash (CVE-2006-4343), also in
http://www.openssl.org/news/secadv_20060928.txt
As of this publication, there are no workarounds available for any of
these vulnerabilities, but it may be possible to mitigate some of the
exposure. This Security Response lists the status of each product or
application when considered individually. However, in cases where
multiple applications are running on the same computer, a
vulnerability in one application or component can compromise the
entire system. This compromise can then be leveraged against
applications that would otherwise be unaffected. Therefore, users
must consider all applications when determining their exposure to
these vulnerabilities. Cisco strongly recommends that customers
update all vulnerable applications and components to provide the
greatest protection from the listed vulnerabilities. Cisco will
update this document in the event of any changes.
Additional Information
======================
RSA Signature Forgery
+--------------------
During the CRYPTO 2006 conference, which was held August 20-24, 2006,
Daniel Bleichenbacher presented a method for forging RSA signatures.
The attack requires two conditions to be successful:
* The keys use 3 (three) as one of the RSA exponents.
* The signature verification algorithm has vulnerable
implementation.
Notes describing this attack are at
http://www.imc.org/ietf-openpgp/mail-archive/msg14307.html
The signature verification implementation vulnerability consists of
improper verification of PKCS-1 padded data. Any software with this
vulnerability might accept a forged signature, but only if the key
that is being forged has 3 (three) as one of the exponents.
ASN.1 Denial of Service Attacks
+------------------------------
Two vulnerabilities have been uncovered by an ASN.1 test suite
developed by Dr. S. N. Henson. Both of these vulnerabilities, if
exploited, can cause denial of service. The vulnerabilities are as
follows:
* Parsing of certain invalid ASN.1 structures can result in an
infinite loop that can consume system memory. This issue does not
affect OpenSSL versions prior to 0.9.7. This is assigned CVE
number CVE-2006-2937.
* Specially crafted public keys can take a disproportionate amount
of time to be processed. This is assigned CVE number
CVE-2006-2940.
SSL_get_shared_ciphers() buffer overflow
+---------------------------------------
A specially crafted list of ciphers can be used to overrun a buffer.
This vulnerability has been assigned CVE ID of CVE-2006-3738 and was
discovered by Tavis Ormandy and Will Drewry from Google Security
Team.
SSLv2 Client Crash
+-----------------
SSL server can send malformed packet during SSLv2 connection
negotiation that can crash an SSL client. This vulnerability is
assigned CVE ID CVE-2006-4343.
Products Affected by OpenSSL Vulnerabilites
+------------------------------------------
Note: This is not a definitive list. Cisco continues to verify other
products and the list will be updated accordingly. The following
products are affected by the OpenSSL issues listed in this Security
Response:
* Cisco Global Site Selector (GSS 4480, 4490, 4491, 4492) - Cisco
bug ID is CSCsg22734. The fix is
expected in the 2.0(1) release that is targeted for February
2007.
* Cisco MDS 9500 Multilayer Director - Cisco bug ID is
CSCsg01963. Availability of fixed software has not been determined
yet.
* Cisco IDS - Cisco bug ID is CSCsg09619. Availability of fixed
software has not been determined yet.
* Cisco ONS 15454 - Cisco bug ID is CSCsg16571. The fix is contained
in version 8.0 and later.
* Cisco Access Registrar - Cisco bug ID is CSCsg17943. Availability
of fixed software has not been determined yet.
* Cisco Secure ACS - Cisco bug ID is CSCsg24311. Availability of
fixed software has not been determined yet.
* Cisco Security Agent - Cisco bug ID is CSCsg46092. Fixed libraries
are provided by the hotfix 5.1.0.79. Other supported software
releases will be updated in an upcoming releases.
* Cisco Call Manager - Cisco bug IDs are CSCsg04397 and CSCsg04386.
Only software releases 4.x and higher are affected. None of the
previous releases are vulnerable. The fixes will be available in
software release 5.1(1) currently targeted for 2006-Dec-11.
* Cisco Unified Presence Server - Cisco bug ID CSCsg51110. Fixed
software will be available in CUPS 1.0(3), currently targeted for
2006-Nov-16.
* Cisco Security MARS - Cisco bug ID is CSCsg51304. The fixes will
be available in software release 4.2.3, which is expected in
2006-December.
* Cisco CSS 11500 Series Content Services Switches - Cisco bug ID is
CSCek57074. Fixed software is available as releases 7.50.3.4S and
8.10.2.6S.
* Cisco Wireless LAN Controller - Cisco bug ID is CSCsg59589. The
fixes will be available in upcoming software releases 4.0.x,
targeted for 2006-Dec-18, and 3.2.x, targeted for 2007-January-31.
* Cisco Application and Content Networking System (ACNS) - Cisco bug
ID is CSCsf97055 and CSCsg55732. Availability of fixed software
has not been determined yet.
* Cisco Application Control Engine Module - Cisco bug ID is
CSCsg36592. Availability of fixed software has not been determined
yet.
* Cisco Wide Area File Services Software (WAFS) - Cisco bug ID is
CSCsg55738. Availability of fixed software has not been determined
yet.
* Cisco Wide Area Application Services (WAAS) Software - Cisco bug
ID is CSCsg55742. Availability of fixed software has not been
determined yet.
* Cisco SIP Proxy Server - Cisco bug ID is CSCsg56292. Availability
of fixed software has not been determined yet.
* CiscoWorks Common Services - Cisco bug IDs are CSCsg58599 and
CSCsg58607. Some Cisco management products integrate CiscoWorks
Common Services into their general installation and runtime
environments. To verify, navigate the path Server Configuration >
About the Server > Applications and Versions in the CiscoWorks
Server. Availability of fixed software has not been determined
yet.
* CiscoWorks Common Management Foundation (CMF was referred to as
Common Services before the release of CiscoWorks 3.0) - Cisco bug
ID is CSCsg58592. Some Cisco management products integrate
CiscoWorks Common Services into their general installation and
runtime environments. To verify, navigate the path Server
Configuration > About the Server > Applications and Versions in
the CiscoWorks Server. Availability of fixed software has not been
determined yet.
Products Not Affected by OpenSSL Vulnerabilites
+----------------------------------------------
Note: This list is not a definitive list. Cisco continues to verify
other products and the list will be updated accordingly. The
following products are confirmed not vulnerable.
* Cisco IOS
* Cisco IOS XR
* Cisco IP Interoperability and Collaboration System (IPICS)
* Cisco ASA/PIX/FWSM - While these products contain the OpenSSL
libraries, they do not make use of the vulnerable code.
Nonetheless, the software library has been updated to avoid any
potential issues in the future.
+ For Cisco PIX/ASA, this is tracked by Cisco bug IDs
CSCsg21727, CSCsg52606, CSCsg07425, and CSCsg07405. Software
releases with updated libraries will be 6.3.6, 7.0.7,
7.1.2.26, and 7.2.1.21 and later.
+ For Cisco FWSM, this is tracked by Cisco bug ID CSCsg52485,
and the fixed libraries are expected in one of upcoming 3.1
interim releases.
Workaround
==========
SSL is predominately used for securing HTTP traffic, but is also used
to secure other TCP traffic, such as SMTP, POP3, IMAP, and FTP.
Generally speaking, there is no workaround for these issues, but
mitigation is possible. By blocking affected protocols at the edge of
your network and by allowing only legitimate IP addresses to connect
to your devices, it is possible to lower your exposure to these
vulnerabilities.
Another option, which could reduce the security of your system, is to
revert to non-secure variants of the protocols. In that case, you
will not be affected by the vulnerabilities described here, but your
traffic will be sent in clear text and, if intercepted, an adversary
will be able to read it or even modify it while in transit.
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
Revision History
================
+----------------------------------------+
| Revision | | Initial |
| 1.0 | 2006-November-08 | public |
| | | release. |
+----------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco
security notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt
- - ---------------------------------------------------------------------
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)
iD8DBQFFUfF38NUAbBmDaxQRAs4AAKCfOiUIc66qQAK9t5mFDNZWcT8GLgCdEdyU
znZ1qZJqAO1J05Idk4o9QOU=
=Pcry
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBRVPbYyh9+71yA2DNAQKq0AP/QCkqsup0KWVNFU7nWBcAY+udm2b8d0UD
bvsLOJk0F3GE7sza9w6pR8K3Mk1OVgPjnE88sIeh9EE2LL+ERAkzMwvJh39bIyGC
OjnSoKQ6g3G9ZerCEzux1I5a6gdEawQtLt5PE8FGe9RPssc1ZNRQehiG8ybTcTo6
Wq2TfdmzcMY=
=wPSn
-----END PGP SIGNATURE-----