Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2006.0822 -- [Cisco] Vulnerabilities in OpenSSL Library Affect Multiple Cisco Products 10 November 2006 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Cisco Global Site Selector (GSS 4480, 4490, 4491, 4492) Cisco MDS 9500 Multilayer Director Cisco IDS Cisco ONS Cisco Access Registrar Cisco Secure ACS Cisco Security Agent Cisco Call Manager Cisco Unified Presence Server Cisco Security MARS Cisco CSS 11500 Series Content Services Switches Cisco Wireless LAN Controller Cisco Application and Content Networking System (ACNS) Cisco Wide Area File Services Software (WAFS) Cisco Wide Area Application Services (WAAS) Cisco SIP Proxy Server CiscoWorks Common Services CiscoWorks Common Management Foundation Publisher: Cisco Systems Operating System: Cisco Windows Impact: Execute Arbitrary Code/Commands Denial of Service Provide Misleading Information Access: Remote/Unauthenticated CVE Names: CVE-2006-4343 CVE-2006-4339 CVE-2006-3738 CVE-2006-2940 CVE-2006-2937 Ref: AL-2006.0084 AL-2006.0074 Original Bulletin: http://www.cisco.com/warp/public/707/cisco-sr-20061108-openssl.shtml - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cisco Security Response: Multiple Vulnerabilities in OpenSSL library http://www.cisco.com/warp/public/707/cisco-sr-20061108-openssl.shtml Revision 1.0 For Public Release 2006 November 08 1600 UTC (GMT) - - --------------------------------------------------------------------- Cisco Response ============== This is the Cisco PSIRT response to the multiple security advisories published by The OpenSSL Project. The vulnerabilities are as follows: * RSA Signature Forgery (CVE-2006-4339), described in http://www.openssl.org/news/secadv_20060905.txt * ASN.1 Denial of Service Attacks (CVE-2006-2937, CVE-2006-2940), described in http://www.openssl.org/news/secadv_20060928.txt * SSL_get_shared_ciphers() buffer overflow (CVE-2006-3738), also in http://www.openssl.org/news/secadv_20060928.txt leavingcisco.com * SSLv2 Client Crash (CVE-2006-4343), also in http://www.openssl.org/news/secadv_20060928.txt As of this publication, there are no workarounds available for any of these vulnerabilities, but it may be possible to mitigate some of the exposure. This Security Response lists the status of each product or application when considered individually. However, in cases where multiple applications are running on the same computer, a vulnerability in one application or component can compromise the entire system. This compromise can then be leveraged against applications that would otherwise be unaffected. Therefore, users must consider all applications when determining their exposure to these vulnerabilities. Cisco strongly recommends that customers update all vulnerable applications and components to provide the greatest protection from the listed vulnerabilities. Cisco will update this document in the event of any changes. Additional Information ====================== RSA Signature Forgery +-------------------- During the CRYPTO 2006 conference, which was held August 20-24, 2006, Daniel Bleichenbacher presented a method for forging RSA signatures. The attack requires two conditions to be successful: * The keys use 3 (three) as one of the RSA exponents. * The signature verification algorithm has vulnerable implementation. Notes describing this attack are at http://www.imc.org/ietf-openpgp/mail-archive/msg14307.html The signature verification implementation vulnerability consists of improper verification of PKCS-1 padded data. Any software with this vulnerability might accept a forged signature, but only if the key that is being forged has 3 (three) as one of the exponents. ASN.1 Denial of Service Attacks +------------------------------ Two vulnerabilities have been uncovered by an ASN.1 test suite developed by Dr. S. N. Henson. Both of these vulnerabilities, if exploited, can cause denial of service. The vulnerabilities are as follows: * Parsing of certain invalid ASN.1 structures can result in an infinite loop that can consume system memory. This issue does not affect OpenSSL versions prior to 0.9.7. This is assigned CVE number CVE-2006-2937. * Specially crafted public keys can take a disproportionate amount of time to be processed. This is assigned CVE number CVE-2006-2940. SSL_get_shared_ciphers() buffer overflow +--------------------------------------- A specially crafted list of ciphers can be used to overrun a buffer. This vulnerability has been assigned CVE ID of CVE-2006-3738 and was discovered by Tavis Ormandy and Will Drewry from Google Security Team. SSLv2 Client Crash +----------------- SSL server can send malformed packet during SSLv2 connection negotiation that can crash an SSL client. This vulnerability is assigned CVE ID CVE-2006-4343. Products Affected by OpenSSL Vulnerabilites +------------------------------------------ Note: This is not a definitive list. Cisco continues to verify other products and the list will be updated accordingly. The following products are affected by the OpenSSL issues listed in this Security Response: * Cisco Global Site Selector (GSS 4480, 4490, 4491, 4492) - Cisco bug ID is CSCsg22734. The fix is expected in the 2.0(1) release that is targeted for February 2007. * Cisco MDS 9500 Multilayer Director - Cisco bug ID is CSCsg01963. Availability of fixed software has not been determined yet. * Cisco IDS - Cisco bug ID is CSCsg09619. Availability of fixed software has not been determined yet. * Cisco ONS 15454 - Cisco bug ID is CSCsg16571. The fix is contained in version 8.0 and later. * Cisco Access Registrar - Cisco bug ID is CSCsg17943. Availability of fixed software has not been determined yet. * Cisco Secure ACS - Cisco bug ID is CSCsg24311. Availability of fixed software has not been determined yet. * Cisco Security Agent - Cisco bug ID is CSCsg46092. Fixed libraries are provided by the hotfix 5.1.0.79. Other supported software releases will be updated in an upcoming releases. * Cisco Call Manager - Cisco bug IDs are CSCsg04397 and CSCsg04386. Only software releases 4.x and higher are affected. None of the previous releases are vulnerable. The fixes will be available in software release 5.1(1) currently targeted for 2006-Dec-11. * Cisco Unified Presence Server - Cisco bug ID CSCsg51110. Fixed software will be available in CUPS 1.0(3), currently targeted for 2006-Nov-16. * Cisco Security MARS - Cisco bug ID is CSCsg51304. The fixes will be available in software release 4.2.3, which is expected in 2006-December. * Cisco CSS 11500 Series Content Services Switches - Cisco bug ID is CSCek57074. Fixed software is available as releases 7.50.3.4S and 8.10.2.6S. * Cisco Wireless LAN Controller - Cisco bug ID is CSCsg59589. The fixes will be available in upcoming software releases 4.0.x, targeted for 2006-Dec-18, and 3.2.x, targeted for 2007-January-31. * Cisco Application and Content Networking System (ACNS) - Cisco bug ID is CSCsf97055 and CSCsg55732. Availability of fixed software has not been determined yet. * Cisco Application Control Engine Module - Cisco bug ID is CSCsg36592. Availability of fixed software has not been determined yet. * Cisco Wide Area File Services Software (WAFS) - Cisco bug ID is CSCsg55738. Availability of fixed software has not been determined yet. * Cisco Wide Area Application Services (WAAS) Software - Cisco bug ID is CSCsg55742. Availability of fixed software has not been determined yet. * Cisco SIP Proxy Server - Cisco bug ID is CSCsg56292. Availability of fixed software has not been determined yet. * CiscoWorks Common Services - Cisco bug IDs are CSCsg58599 and CSCsg58607. Some Cisco management products integrate CiscoWorks Common Services into their general installation and runtime environments. To verify, navigate the path Server Configuration > About the Server > Applications and Versions in the CiscoWorks Server. Availability of fixed software has not been determined yet. * CiscoWorks Common Management Foundation (CMF was referred to as Common Services before the release of CiscoWorks 3.0) - Cisco bug ID is CSCsg58592. Some Cisco management products integrate CiscoWorks Common Services into their general installation and runtime environments. To verify, navigate the path Server Configuration > About the Server > Applications and Versions in the CiscoWorks Server. Availability of fixed software has not been determined yet. Products Not Affected by OpenSSL Vulnerabilites +---------------------------------------------- Note: This list is not a definitive list. Cisco continues to verify other products and the list will be updated accordingly. The following products are confirmed not vulnerable. * Cisco IOS * Cisco IOS XR * Cisco IP Interoperability and Collaboration System (IPICS) * Cisco ASA/PIX/FWSM - While these products contain the OpenSSL libraries, they do not make use of the vulnerable code. Nonetheless, the software library has been updated to avoid any potential issues in the future. + For Cisco PIX/ASA, this is tracked by Cisco bug IDs CSCsg21727, CSCsg52606, CSCsg07425, and CSCsg07405. Software releases with updated libraries will be 6.3.6, 7.0.7, 7.1.2.26, and 7.2.1.21 and later. + For Cisco FWSM, this is tracked by Cisco bug ID CSCsg52485, and the fixed libraries are expected in one of upcoming 3.1 interim releases. Workaround ========== SSL is predominately used for securing HTTP traffic, but is also used to secure other TCP traffic, such as SMTP, POP3, IMAP, and FTP. Generally speaking, there is no workaround for these issues, but mitigation is possible. By blocking affected protocols at the edge of your network and by allowing only legitimate IP addresses to connect to your devices, it is possible to lower your exposure to these vulnerabilities. Another option, which could reduce the security of your system, is to revert to non-secure variants of the protocols. In that case, you will not be affected by the vulnerabilities described here, but your traffic will be sent in clear text and, if intercepted, an adversary will be able to read it or even modify it while in transit. THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. Revision History ================ +----------------------------------------+ | Revision | | Initial | | 1.0 | 2006-November-08 | public | | | | release. | +----------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt - - --------------------------------------------------------------------- - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (Darwin) iD8DBQFFUfF38NUAbBmDaxQRAs4AAKCfOiUIc66qQAK9t5mFDNZWcT8GLgCdEdyU znZ1qZJqAO1J05Idk4o9QOU= =Pcry - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBRVPbYyh9+71yA2DNAQKq0AP/QCkqsup0KWVNFU7nWBcAY+udm2b8d0UD bvsLOJk0F3GE7sza9w6pR8K3Mk1OVgPjnE88sIeh9EE2LL+ERAkzMwvJh39bIyGC OjnSoKQ6g3G9ZerCEzux1I5a6gdEawQtLt5PE8FGe9RPssc1ZNRQehiG8ybTcTo6 Wq2TfdmzcMY= =wPSn -----END PGP SIGNATURE-----