Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2009.1501.2 Transport Layer Security Renegotiation Vulnerability 6 August 2010 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Cisco Publisher: Cisco Systems Operating System: Cisco Impact/Access: Unauthorised Access -- Remote/Unauthenticated Provide Misleading Information -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2009-3555 Reference: ASB-2009.1125 Original Bulletin: http://www.cisco.com/warp/public/707/cisco-sa-20091109-tls.shtml Comment: Cisco is yet to offer patches/workarounds for this vulnerability. This advisory is a notification that they are investigating the impact against their products and will be updated when more information is available. Revision History: August 6 2010: Updates made to affected products and some fixes made available November 10 2009: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- Transport Layer Security Renegotiation Vulnerability Document ID: 111046 Advisory ID: cisco-sa-20091109-tls http://www.cisco.com/warp/public/707/cisco-sa-20091109-tls.shtml Revision 1.14 Last Updated 2010 July 22 1700 UTC (GMT) For Public Release 2009 November 9 1300 UTC (GMT) Summary An industry-wide vulnerability exists in the Transport Layer Security (TLS) protocol that could impact any Cisco product that uses any version of TLS and SSL. The vulnerability exists in how the protocol handles session renegotiation and exposes users to a potential man-in-the-middle attack. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20091109-tls.shtml. Affected Products Cisco is currently evaluating products for possible exposure to these TLS issues. Products will only be listed in the Vulnerable Products or Products Confirmed Not Vulnerable sections of this advisory when a final determination about product exposure is made. Products that are not listed in either of these two sections are still being evaluated. Vulnerable Products This section will be updated when more information is available. The following products are confirmed to be vulnerable: * Cisco ACE 4700 Series Application Control Engine Appliances * Cisco ACE Application Control Engine Module * Cisco ACE GSS 4400 Series Global Site Selector Appliances * Cisco ACE Web Application Firewall * Cisco Wireless Control System * Cisco Wireless LAN Controller (WLC) Note: Extensible Authentication Protocol Transport Layer Security (EAP-TLS) and Protected Extensible Authentication Protocol (PEAP) are not affected by this vulnerability. * Cisco Wireless Location Appliance * CiscoWorks Wireless LAN Solution Engine (WLSE) * Cisco Digital Media Player * Cisco Digital Media Manager * Cisco Access Control Server (ACS) * CiscoWorks Common Services * Cisco Telepresence Recording Server * Cisco NX-OS Software * Cisco Video Surveillance Operations Manager Software * Cisco Video Surveillance Media Server Software * Cisco ASA 5500 Series Adaptive Security Appliances * Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module (FWSM) * Cisco AVS 3120 and 3180 Series Application Velocity System * Cisco CSS 11500 Series Content Services Switches The CSS 11500 Series Content Services Switches are affected by this vulnerability with default configurations. However, the client authentication feature can be enabled as mitigation/solution. To enable or disable client authentication on a virtual SSL server, use the ssl-server <number> authentication command under the ssl-proxy-list. Note: By default, client authentication is disabled. After you enable client authentication on the CSS, you must specify a CA certificate that the CSS uses to verify client certificates. * Cisco Content Switching Module (CSM) * Cisco Wide Area Application Services (WAAS) * Cisco Application Networking Manager (ANM) * Cisco Unified IP Phones * Cisco ONS 15500 Series * Cisco Unified Contact Center Products * Cisco Security Agent (CSA) * Cisco IP Communicator * Cisco Network Registrar * Cisco Unified Communications Manager (CallManager) * Cisco Network Analysis Module Software (NAM) * Cisco IronPort's Email Security Appliance (X-Series & C-Series) * Cisco Spam & Virus Blocker (B-Series) * Cisco IronPort's Web Security Appliance (S-Series) * Cisco IronPort's Security Management Appliance (M-Series) * Cisco IronPort's Encryption Appliance (IEA) * Cisco Pix http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_eol_notices_list.html Products Confirmed Not Vulnerable The following products are confirmed not vulnerable: * Cisco AnyConnect VPN Client * Cisco Unified MeetingPlace * Cisco Data Center Network Manager * Cisco Service Control Subscriber Manager * Cisco Secure Desktop (CSD) * Cisco ASA Advanced Inspection and Prevention (AIP) Security Services Module * Cisco Transport Manager (CTM) * Cisco IOS SSL VPN * Cisco IOS HTTP Secure Server * Cisco Intrusion Prevention System (CIDS/IPS) * Cisco Catalyst 6500 series SSL Services Module This section will be updated when more information is available. Details TLS and its predecessor, SSL, are cryptographic protocols that provide security for communications over IP data networks such as the Internet. An industry-wide vulnerability exists in the TLS protocol that could impact any Cisco product that uses any version of TLS and SSL. The vulnerability exists in how the protocol handles session renegotiation and exposes users to a potential man-in-the-middle attack. Note: Extensible Authentication Protocol Transport Layer Security (EAP-TLS) and Protected Extensible Authentication Protocol (PEAP) are not affected by this vulnerability. The following Cisco Bug IDs are being used to track potential exposure to the SSL and TLS issues. The bugs listed below do not confirm that a product is vulnerable, but rather that the product is under investigation by the appropriate product teams. Registered Cisco customers can view these bugs via Cisco's Bug Toolkit: http://www.cisco.com/pcgi-bin/Support/Bugtool/launch_bugtool.pl Product Bug ID Cisco ACE 4700 Series Application Control Engine Appliances CSCtd00730 Cisco ACE Application Control Engine Module CSCtd00816 Cisco ACE GSS 4400 Series Global Site Selector Appliances CSCtd01467 Cisco ACE Web Application Firewall CSCtd01474 Cisco Adaptive Security Device Manager (ASDM) CSCtd01491 Cisco AON Software CSCtd01646 Cisco AON Healthcare for HIPAA and ePrescription CSCtd01652 Cisco Application and Content Networking System (ACNS) Software CSCtd01529 Cisco Application Networking Manager CSCtd01480 Cisco ASA 5500 Series Adaptive Security Appliances CSCtd00697 Cisco ASA Advanced Inspection and Prevention (AIP) Security CSCtd01539 Services Module Cisco AVS 3100 Series Application Velocity System CSCtd26728 Cisco Catalyst 6500 Series SSL Services Module CSCtd06389 Catalyst 6500 Series and Cisco 7600 Series Firewall Services CSCtd04061 Module (FWSM) Cisco CSS 11000 Series Content Services Switches CSCtd01636 Cisco Unified SIP Phones CSCtd01446 Cisco Data Mobility Manager CSCtd02642 Cisco Digital Media Manager CSCtd01692 Cisco Digital Media Players CSCtd01718 Cisco Emergency Responder CSCtd02650 Cisco IOS Software CSCtd00658 Cisco IOS XE Software CSCtd00658 Cisco IOS XR Software CSCtd02658 Cisco IP Communicator CSCtd02662 CATOS CSCtd00662 Cisco IronPort Appliances CSCtd02069 Cisco NAC Appliance (Clean Access) CSCtd01453 Cisco NAC Guest Server CSCtd01462 Cisco NAC Profiler CSCtd02716 Cisco Network Analysis Module Software (NAM) CSCtd02729 Cisco Network Registrar CSCtd02748 Cisco ONS 15500 Series CSCtd11877 Cisco Physical Access Gateways CSCtd02777 Cisco Physical Access Manager CSCtd03912 Cisco QoS Device Manager CSCtd03923 Cisco Secure Access Control Server (ACS) CSCtd00725 and CSCtd69422 Cisco Secure Desktop CSCtd03928 Cisco Secure Services Client CSCtd03935 Cisco Security Agent CSA CSCtd02689 Cisco Security Monitoring, Analysis and Response System (MARS) CSCtd02654 Cisco Unified IP Phones CSCtd04121 Cisco TelePresence Manager CSCtd01771 Telepresence for Consumer CSCtd01752 Cisco TelePresence Recording Server CSCtd01742 Cisco Network Asset Collector CSCtd04198 and CSCtd37007 Cisco Unified Communications Manager (CallManager) CSCtd01282, CSCtd14027 and CSCtd14040 Cisco Unified Business Attendant Console CSCtd05731 Cisco Unified Contact Center Enterprise CSCtd05790, CSCtd17048 and CSCtd17077 Cisco Unified Contact Center Express CSCtd05790 Cisco Unified Contact Center Management Portal CSCtd05755 Cisco Unified Contact Center Products CSCtd05790 Cisco Unified Department Attendant Console CSCtd05733 Cisco Unified E-Mail Interaction Manager CSCtd05756 Cisco Unified Enterprise Attendant Console CSCtd05735 Cisco Unified Mobility CSCtd05786 Cisco Unified Mobility Advantage CSCtd05783 Cisco Unified Operations Manager CSCtd05784 Cisco Unified Personal Communicator CSCtd05759 Cisco Unified Presence CSCtd05791 and CSCte81278 Cisco Unified Provisioning Manager CSCtd05777 Cisco Unified Quick Connect CSCtd05738 Cisco Unified Service Monitor CSCtd05780 Cisco Unified Service Statistics Manager CStCd05778 Cisco Unified SIP Proxy CSCtd05765 Cisco Unity CSCtd02855 Cisco NX-OS Software CSCtd00699 and CSCtd00703 Cisco Video Portal CSCtd04097 Cisco Video Surveillance Media Server Software CSCtd02831 Cisco Video Surveillance Operations Manager Software CSCtd02780 Cisco Wide Area Application Services (WAAS) CSCtd13914 Cisco Wireless Control System CSCtd01625 Cisco Wireless LAN Controller (WLAN) CSCtd01611 Cisco Wireless Location Appliance CSCtd04115 CiscoWorks Common Services Software CSCtd01597 CiscoWorks Wireless LAN Solution Engine (WLSE) CSCtd04111 Linksys Routers WebEx Connect WebEx Event Center WebEx Meeting Center WebEx Meet Me Now (MMN) WebEx PCNow (PCN) WebEx Sales Center WebEx Support Center WebEx Training Center This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2009-3555. Vulnerability Scoring Details Cisco has provided scores for the vulnerability in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html. Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss. TLS Renegotiation VulnerabilityCalculate the environmental score of All Cisco Bug IDs CVSS Base Score - 4.3 Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: None Integrity Impact: Partial Availability Impact: None CVSS Temporal Score - 4.1 Exploitability: Functional Remediation Level: Unavailable Report Confidence: Confirmed Impact A protocol-level design flaw in the TLS specification allows an attacker to perform a man-in-the-middle (MITM) attack on sessions protected by Transport Layer Security (TLS) and Secure Sockets Layer (SSL). Successful exploitation could allow an attacker to inject data into a legitimate SSL/TLS-protected session and trigger a renegotiation. This may allow the attacker to execute operations on the server using the client's credentials but does not allow the attacker to read, decrypt, or alter encrypted traffic between client and server. While the vulnerability exists within the TLS protocol, the impact of an attack depends on the application protocol running over TLS. Software Versions and Fixes This section will be updated to include fixed software versions for affected Cisco products as they become available. When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Each row of the software table below lists a product that has been patched to disable SSL/TLS renegotiation and the version(s) of software which contains the fix. A device running a release that is earlier than the release in a specific column (less than the First Fixed in Release) is known to be vulnerable. The release should be upgraded at least to the indicated release or a later version. Product First Fixed Releases Cisco ASA 5500 Series Adaptive Security Appliances 8.0(5.6) 8.1(2.39) 8.2(1.16) 8.3(0.08) 7.2(4.44) Cisco ACE 4700 Series Application Control Engine 3.0(0)A3(2.4.61) Appliances Cisco ACE Application Control Engine Module 3.0(0)A2(2.2.28) 3.0(0)A2(2.3) Cisco Application and Content Networking System (ACNS) 5.5.17 Software Cisco Catalyst 6500 Series and Cisco 7600 Series 3.1(17) Firewall Services Module (FWSM) 3.2(15) 4.0(9) 4.1(1) Cisco Ironport's Email Security Appliance 7.0.1 and above (X-series and C-series) Cisco Ironport's Web Security Appliance (S-series) 6.3.3 and above Cisco Mobile Wireless Transport Manager (MWTM) 6.1(2) Cisco Network Analysis Module Software (NAM) 4.1(1-patch2) Cisco Network Collector 6.1 Cisco NX-OS Software (Nexus 5000) 4.1(3)N2(1a) Cisco NX-OS Software (Nexus 7000) 4.2(3) 5.0 Cisco Security Agent CSA 6.0(1.126) 6.0(2.099) Cisco Unified Communications Manager (CallManager) 6.1(5) 8.0(0.98000.106) Cisco Unified Computing System Blade-Server 4.0(1a)N2(1.2h) 4.0(1a)N2(1.2j) Cisco Unified IP Phones RT: Release 9.0.3 TNP: Release 9.0.2 Cisco Unified Intelligent Contact Management 7.5(8) Enterprise 8.0(1) Cisco Unity Connection 8.0(1) Cisco Wide Area Application Services (WAAS) 4.1.7 4.2.1 Cisco Wireless LAN Controller (WLAN) 6.0(196.000) Cisco Video Surveillance Media Server Software 4.2.1/6.2.1 Fixed Cisco ASA software can be downloaded from: http://www.cisco.com/pcgi-bin/tablebuild.pl/ASAPSIRT All other fixed software can be downloaded from: http://www.cisco.com/cisco/psn/web/download/index.html Workarounds There are no known workarounds. Obtaining Fixed Software Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements This vulnerability was initially discovered by Marsh Ray and Steve Dispensa from PhoneFactor, Inc. Cisco is not aware of any malicious exploitation of this vulnerability. Proof-of-concept exploit code has been published for this vulnerability. Status of this Notice: INTERIM THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. CISCO EXPECTS TO UPDATE THIS DOCUMENT AS NEW INFORMATION BECOMES AVAILABLE. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution This advisory is posted on Cisco's worldwide website at : http://www.cisco.com/warp/public/707/cisco-sa-20091109-tls.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History Revision 1.14 2010-July-22 Updated Vulnerable Products Revision 1.13 2010-March-29 Updated Fixed Software Versions for CUCM Revision 1.12 2010-March-10 Updated Fixed Software Versions for WAAS and WLC Revision 1.11 2010-March-03 IOS HTTP Secure Secure added to Products confirmed not vulnerable Revision 1.10 2010-February-26 Updated Fixed Software Revision 1.9 2010-February-05 Updated Affected Products and Details Sections Revision 1.8 2010-January-21 Updated Software Fixes Table and Products Confirmed Not Vulnerable Revision 1.7 2010-January-04 Affected Products Update. Revision 1.6 2009-December-18 Affected Products and Details Updates. Revision 1.5 2009-December-14 EAP-TLS and PEAP not vulnerable. Revision 1.4 2009-December-4 Details and Impact update. Revision 1.3 2009-December-3 Affected products update. Revision 1.2 2009-November-18 Affected products update. Revision 1.1 2009-November-16 Affected products update. Revision 1.0 2009-November-9 Initial public release. Cisco Security Procedures Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iD8DBQFMW4kO/iFOrG6YcBERAockAJ9ARxiyRy+r13I1kZlFOUO5tlGrvQCcC3VJ EmqBudRTE4W1BHKmtgtSXHo= =/EX4 -----END PGP SIGNATURE-----