Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2009.1501.2
Transport Layer Security Renegotiation Vulnerability
6 August 2010
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Cisco
Publisher: Cisco Systems
Operating System: Cisco
Impact/Access: Unauthorised Access -- Remote/Unauthenticated
Provide Misleading Information -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2009-3555
Reference: ASB-2009.1125
Original Bulletin:
http://www.cisco.com/warp/public/707/cisco-sa-20091109-tls.shtml
Comment: Cisco is yet to offer patches/workarounds for this vulnerability.
This advisory is a notification that they are investigating the
impact against their products and will be updated when more
information is available.
Revision History: August 6 2010: Updates made to affected products and
some fixes made available
November 10 2009: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
Transport Layer Security Renegotiation Vulnerability
Document ID: 111046
Advisory ID: cisco-sa-20091109-tls
http://www.cisco.com/warp/public/707/cisco-sa-20091109-tls.shtml
Revision 1.14
Last Updated 2010 July 22 1700 UTC (GMT)
For Public Release 2009 November 9 1300 UTC (GMT)
Summary
An industry-wide vulnerability exists in the Transport Layer Security (TLS)
protocol that could impact any Cisco product that uses any version of TLS and
SSL. The vulnerability exists in how the protocol handles session renegotiation
and exposes users to a potential man-in-the-middle attack.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20091109-tls.shtml.
Affected Products
Cisco is currently evaluating products for possible exposure to these TLS
issues. Products will only be listed in the Vulnerable Products or Products
Confirmed Not Vulnerable sections of this advisory when a final determination
about product exposure is made. Products that are not listed in either of these
two sections are still being evaluated.
Vulnerable Products
This section will be updated when more information is available. The following
products are confirmed to be vulnerable:
* Cisco ACE 4700 Series Application Control Engine Appliances
* Cisco ACE Application Control Engine Module
* Cisco ACE GSS 4400 Series Global Site Selector Appliances
* Cisco ACE Web Application Firewall
* Cisco Wireless Control System
* Cisco Wireless LAN Controller (WLC)
Note: Extensible Authentication Protocol Transport Layer Security
(EAP-TLS) and Protected Extensible Authentication Protocol (PEAP)
are not affected by this vulnerability.
* Cisco Wireless Location Appliance
* CiscoWorks Wireless LAN Solution Engine (WLSE)
* Cisco Digital Media Player
* Cisco Digital Media Manager
* Cisco Access Control Server (ACS)
* CiscoWorks Common Services
* Cisco Telepresence Recording Server
* Cisco NX-OS Software
* Cisco Video Surveillance Operations Manager Software
* Cisco Video Surveillance Media Server Software
* Cisco ASA 5500 Series Adaptive Security Appliances
* Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module (FWSM)
* Cisco AVS 3120 and 3180 Series Application Velocity System
* Cisco CSS 11500 Series Content Services Switches
The CSS 11500 Series Content Services Switches are affected by this
vulnerability with default configurations. However, the client
authentication feature can be enabled as mitigation/solution.
To enable or disable client authentication on a virtual SSL server, use
the ssl-server <number> authentication command under the ssl-proxy-list.
Note: By default, client authentication is disabled. After you enable
client authentication on the CSS, you must specify a CA
certificate that the CSS uses to verify client certificates.
* Cisco Content Switching Module (CSM)
* Cisco Wide Area Application Services (WAAS)
* Cisco Application Networking Manager (ANM)
* Cisco Unified IP Phones
* Cisco ONS 15500 Series
* Cisco Unified Contact Center Products
* Cisco Security Agent (CSA)
* Cisco IP Communicator
* Cisco Network Registrar
* Cisco Unified Communications Manager (CallManager)
* Cisco Network Analysis Module Software (NAM)
* Cisco IronPort's Email Security Appliance (X-Series & C-Series)
* Cisco Spam & Virus Blocker (B-Series)
* Cisco IronPort's Web Security Appliance (S-Series)
* Cisco IronPort's Security Management Appliance (M-Series)
* Cisco IronPort's Encryption Appliance (IEA)
* Cisco Pix
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_eol_notices_list.html
Products Confirmed Not Vulnerable
The following products are confirmed not vulnerable:
* Cisco AnyConnect VPN Client
* Cisco Unified MeetingPlace
* Cisco Data Center Network Manager
* Cisco Service Control Subscriber Manager
* Cisco Secure Desktop (CSD)
* Cisco ASA Advanced Inspection and Prevention (AIP) Security Services Module
* Cisco Transport Manager (CTM)
* Cisco IOS SSL VPN
* Cisco IOS HTTP Secure Server
* Cisco Intrusion Prevention System (CIDS/IPS)
* Cisco Catalyst 6500 series SSL Services Module
This section will be updated when more information is available.
Details
TLS and its predecessor, SSL, are cryptographic protocols that provide security
for communications over IP data networks such as the Internet. An industry-wide
vulnerability exists in the TLS protocol that could impact any Cisco product that
uses any version of TLS and SSL. The vulnerability exists in how the protocol
handles session renegotiation and exposes users to a potential man-in-the-middle
attack.
Note: Extensible Authentication Protocol Transport Layer Security (EAP-TLS) and
Protected Extensible Authentication Protocol (PEAP) are not affected by
this vulnerability.
The following Cisco Bug IDs are being used to track potential exposure to the
SSL and TLS issues. The bugs listed below do not confirm that a product is
vulnerable, but rather that the product is under investigation by the
appropriate product teams.
Registered Cisco customers can view these bugs via Cisco's Bug Toolkit:
http://www.cisco.com/pcgi-bin/Support/Bugtool/launch_bugtool.pl
Product Bug ID
Cisco ACE 4700 Series Application Control Engine Appliances CSCtd00730
Cisco ACE Application Control Engine Module CSCtd00816
Cisco ACE GSS 4400 Series Global Site Selector Appliances CSCtd01467
Cisco ACE Web Application Firewall CSCtd01474
Cisco Adaptive Security Device Manager (ASDM) CSCtd01491
Cisco AON Software CSCtd01646
Cisco AON Healthcare for HIPAA and ePrescription CSCtd01652
Cisco Application and Content Networking System (ACNS) Software CSCtd01529
Cisco Application Networking Manager CSCtd01480
Cisco ASA 5500 Series Adaptive Security Appliances CSCtd00697
Cisco ASA Advanced Inspection and Prevention (AIP) Security CSCtd01539
Services Module
Cisco AVS 3100 Series Application Velocity System CSCtd26728
Cisco Catalyst 6500 Series SSL Services Module CSCtd06389
Catalyst 6500 Series and Cisco 7600 Series Firewall Services CSCtd04061
Module (FWSM)
Cisco CSS 11000 Series Content Services Switches CSCtd01636
Cisco Unified SIP Phones CSCtd01446
Cisco Data Mobility Manager CSCtd02642
Cisco Digital Media Manager CSCtd01692
Cisco Digital Media Players CSCtd01718
Cisco Emergency Responder CSCtd02650
Cisco IOS Software CSCtd00658
Cisco IOS XE Software CSCtd00658
Cisco IOS XR Software CSCtd02658
Cisco IP Communicator CSCtd02662
CATOS CSCtd00662
Cisco IronPort Appliances CSCtd02069
Cisco NAC Appliance (Clean Access) CSCtd01453
Cisco NAC Guest Server CSCtd01462
Cisco NAC Profiler CSCtd02716
Cisco Network Analysis Module Software (NAM) CSCtd02729
Cisco Network Registrar CSCtd02748
Cisco ONS 15500 Series CSCtd11877
Cisco Physical Access Gateways CSCtd02777
Cisco Physical Access Manager CSCtd03912
Cisco QoS Device Manager CSCtd03923
Cisco Secure Access Control Server (ACS) CSCtd00725 and
CSCtd69422
Cisco Secure Desktop CSCtd03928
Cisco Secure Services Client CSCtd03935
Cisco Security Agent CSA CSCtd02689
Cisco Security Monitoring, Analysis and Response System (MARS) CSCtd02654
Cisco Unified IP Phones CSCtd04121
Cisco TelePresence Manager CSCtd01771
Telepresence for Consumer CSCtd01752
Cisco TelePresence Recording Server CSCtd01742
Cisco Network Asset Collector CSCtd04198 and
CSCtd37007
Cisco Unified Communications Manager (CallManager) CSCtd01282,
CSCtd14027 and
CSCtd14040
Cisco Unified Business Attendant Console CSCtd05731
Cisco Unified Contact Center Enterprise CSCtd05790,
CSCtd17048 and
CSCtd17077
Cisco Unified Contact Center Express CSCtd05790
Cisco Unified Contact Center Management Portal CSCtd05755
Cisco Unified Contact Center Products CSCtd05790
Cisco Unified Department Attendant Console CSCtd05733
Cisco Unified E-Mail Interaction Manager CSCtd05756
Cisco Unified Enterprise Attendant Console CSCtd05735
Cisco Unified Mobility CSCtd05786
Cisco Unified Mobility Advantage CSCtd05783
Cisco Unified Operations Manager CSCtd05784
Cisco Unified Personal Communicator CSCtd05759
Cisco Unified Presence CSCtd05791 and
CSCte81278
Cisco Unified Provisioning Manager CSCtd05777
Cisco Unified Quick Connect CSCtd05738
Cisco Unified Service Monitor CSCtd05780
Cisco Unified Service Statistics Manager CStCd05778
Cisco Unified SIP Proxy CSCtd05765
Cisco Unity CSCtd02855
Cisco NX-OS Software CSCtd00699 and
CSCtd00703
Cisco Video Portal CSCtd04097
Cisco Video Surveillance Media Server Software CSCtd02831
Cisco Video Surveillance Operations Manager Software CSCtd02780
Cisco Wide Area Application Services (WAAS) CSCtd13914
Cisco Wireless Control System CSCtd01625
Cisco Wireless LAN Controller (WLAN) CSCtd01611
Cisco Wireless Location Appliance CSCtd04115
CiscoWorks Common Services Software CSCtd01597
CiscoWorks Wireless LAN Solution Engine (WLSE) CSCtd04111
Linksys Routers
WebEx Connect
WebEx Event Center
WebEx Meeting Center
WebEx Meet Me Now (MMN)
WebEx PCNow (PCN)
WebEx Sales Center
WebEx Support Center
WebEx Training Center
This vulnerability has been assigned the Common Vulnerabilities and Exposures
(CVE) identifier CVE-2009-3555.
Vulnerability Scoring Details
Cisco has provided scores for the vulnerability in this advisory based on the
Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security
Advisory is done in accordance with CVSS version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability severity
and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then compute
environmental scores to assist in determining the impact of the vulnerability
in individual networks.
Cisco has provided an FAQ to answer additional questions regarding CVSS at
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html.
Cisco has also provided a CVSS calculator to help compute the environmental
impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss.
TLS Renegotiation VulnerabilityCalculate the environmental score of All Cisco Bug IDs
CVSS Base Score - 4.3
Access Vector: Network
Access Complexity: Medium
Authentication: None
Confidentiality Impact: None
Integrity Impact: Partial
Availability Impact: None
CVSS Temporal Score - 4.1
Exploitability: Functional
Remediation Level: Unavailable
Report Confidence: Confirmed
Impact
A protocol-level design flaw in the TLS specification allows an attacker to
perform a man-in-the-middle (MITM) attack on sessions protected by Transport
Layer Security (TLS) and Secure Sockets Layer (SSL). Successful exploitation
could allow an attacker to inject data into a legitimate SSL/TLS-protected
session and trigger a renegotiation. This may allow the attacker to execute
operations on the server using the client's credentials but does not allow the
attacker to read, decrypt, or alter encrypted traffic between client and server.
While the vulnerability exists within the TLS protocol, the impact of an attack
depends on the application protocol running over TLS.
Software Versions and Fixes
This section will be updated to include fixed software versions for affected
Cisco products as they become available.
When considering software upgrades, also consult http://www.cisco.com/go/psirt
and any subsequent advisories to determine exposure and a complete upgrade
solution.
In all cases, customers should exercise caution to be certain the devices to be
upgraded contain sufficient memory and that current hardware and software
configurations will continue to be supported properly by the new release. If
the information is not clear, contact the Cisco Technical Assistance Center
(TAC) or your contracted maintenance provider for assistance.
Each row of the software table below lists a product that has been patched to
disable SSL/TLS renegotiation and the version(s) of software which contains the
fix. A device running a release that is earlier than the release in a specific
column (less than the First Fixed in Release) is known to be vulnerable. The
release should be upgraded at least to the indicated release or a later version.
Product First Fixed Releases
Cisco ASA 5500 Series Adaptive Security Appliances 8.0(5.6)
8.1(2.39)
8.2(1.16)
8.3(0.08)
7.2(4.44)
Cisco ACE 4700 Series Application Control Engine 3.0(0)A3(2.4.61)
Appliances
Cisco ACE Application Control Engine Module 3.0(0)A2(2.2.28)
3.0(0)A2(2.3)
Cisco Application and Content Networking System (ACNS) 5.5.17
Software
Cisco Catalyst 6500 Series and Cisco 7600 Series 3.1(17)
Firewall Services Module (FWSM) 3.2(15)
4.0(9)
4.1(1)
Cisco Ironport's Email Security Appliance 7.0.1 and above
(X-series and C-series)
Cisco Ironport's Web Security Appliance (S-series) 6.3.3 and above
Cisco Mobile Wireless Transport Manager (MWTM) 6.1(2)
Cisco Network Analysis Module Software (NAM) 4.1(1-patch2)
Cisco Network Collector 6.1
Cisco NX-OS Software (Nexus 5000) 4.1(3)N2(1a)
Cisco NX-OS Software (Nexus 7000) 4.2(3)
5.0
Cisco Security Agent CSA 6.0(1.126)
6.0(2.099)
Cisco Unified Communications Manager (CallManager) 6.1(5)
8.0(0.98000.106)
Cisco Unified Computing System Blade-Server 4.0(1a)N2(1.2h)
4.0(1a)N2(1.2j)
Cisco Unified IP Phones RT: Release 9.0.3
TNP: Release 9.0.2
Cisco Unified Intelligent Contact Management 7.5(8)
Enterprise 8.0(1)
Cisco Unity Connection 8.0(1)
Cisco Wide Area Application Services (WAAS) 4.1.7
4.2.1
Cisco Wireless LAN Controller (WLAN) 6.0(196.000)
Cisco Video Surveillance Media Server Software 4.2.1/6.2.1
Fixed Cisco ASA software can be downloaded from:
http://www.cisco.com/pcgi-bin/tablebuild.pl/ASAPSIRT
All other fixed software can be downloaded from:
http://www.cisco.com/cisco/psn/web/download/index.html
Workarounds
There are no known workarounds.
Obtaining Fixed Software
Customers may only install and expect support for the feature sets they
have purchased. By installing, downloading, accessing or otherwise using
such software upgrades, customers agree to be bound by the terms of Cisco's
software license terms found at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html, or as
otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml.
Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades.
Customers with Service Contracts
Customers with contracts should obtain upgraded software through their regular
update channels. For most customers, this means that upgrades should be obtained
through the Software Center on Cisco's worldwide website at http://www.cisco.com.
Customers using Third Party Support Organizations
Customers whose Cisco products are provided or maintained through prior or
existing agreements with third-party support organizations, such as Cisco
Partners, authorized resellers, or service providers should contact that
support organization for guidance and assistance with the appropriate course
of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific customer
situations, such as product mix, network topology, traffic behavior, and
organizational mission. Due to the variety of affected products and releases,
customers should consult with their service provider or support organization
to ensure any applied workaround or fix is the most appropriate for use in
the intended network before it is deployed.
Customers without Service Contracts
Customers who purchase direct from Cisco but do not hold a Cisco service
contract, and customers who purchase through third-party vendors but are
unsuccessful in obtaining fixed software through their point of sale should
acquire upgrades by contacting the Cisco Technical Assistance Center (TAC).
TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be prepared to
give the URL of this notice as evidence of entitlement to a free upgrade. Free
upgrades for non-contract customers must be requested through the TAC.
Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone numbers,
and instructions and e-mail addresses for use in various languages.
Exploitation and Public Announcements
This vulnerability was initially discovered by Marsh Ray and Steve Dispensa from
PhoneFactor, Inc.
Cisco is not aware of any malicious exploitation of this vulnerability.
Proof-of-concept exploit code has been published for this vulnerability.
Status of this Notice: INTERIM
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF
GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS
FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS
LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE
OR UPDATE THIS DOCUMENT AT ANY TIME. CISCO EXPECTS TO UPDATE THIS DOCUMENT AS
NEW INFORMATION BECOMES AVAILABLE.
A stand-alone copy or Paraphrase of the text of this document that omits the
distribution URL in the following section is an uncontrolled copy, and may lack
important information or contain factual errors.
Distribution
This advisory is posted on Cisco's worldwide website at :
http://www.cisco.com/warp/public/707/cisco-sa-20091109-tls.shtml
In addition to worldwide web posting, a text version of this notice is
clear-signed with the Cisco PSIRT PGP key and is posted to the following
e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's worldwide
website, but may or may not be actively announced on mailing lists or newsgroups.
Users concerned about this problem are encouraged to check the above URL for
any updates.
Revision History
Revision 1.14 2010-July-22 Updated Vulnerable Products
Revision 1.13 2010-March-29 Updated Fixed Software Versions for CUCM
Revision 1.12 2010-March-10 Updated Fixed Software Versions for WAAS and WLC
Revision 1.11 2010-March-03 IOS HTTP Secure Secure added to Products confirmed
not vulnerable
Revision 1.10 2010-February-26 Updated Fixed Software
Revision 1.9 2010-February-05 Updated Affected Products and Details Sections
Revision 1.8 2010-January-21 Updated Software Fixes Table and Products
Confirmed Not Vulnerable
Revision 1.7 2010-January-04 Affected Products Update.
Revision 1.6 2009-December-18 Affected Products and Details Updates.
Revision 1.5 2009-December-14 EAP-TLS and PEAP not vulnerable.
Revision 1.4 2009-December-4 Details and Impact update.
Revision 1.3 2009-December-3 Affected products update.
Revision 1.2 2009-November-18 Affected products update.
Revision 1.1 2009-November-16 Affected products update.
Revision 1.0 2009-November-9 Initial public release.
Cisco Security Procedures
Complete information on reporting security vulnerabilities in Cisco products,
obtaining assistance with security incidents, and registering to receive
security information from Cisco, is available on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
This includes instructions for press inquiries regarding Cisco security notices.
All Cisco security advisories are available at http://www.cisco.com/go/psirt.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iD8DBQFMW4kO/iFOrG6YcBERAockAJ9ARxiyRy+r13I1kZlFOUO5tlGrvQCcC3VJ
EmqBudRTE4W1BHKmtgtSXHo=
=/EX4
-----END PGP SIGNATURE-----