[apops] Cisco Security Advisory: Multiple Vulnerabilities in Cisco IOS W

  • To: apops at apops dot net
  • Subject: [apops] Cisco Security Advisory: Multiple Vulnerabilities in Cisco IOS While Processing SSL Packets
  • From: Cisco Systems Product Security Incident Response Team <psirt at cisco dot com>
  • Date: Tue, 22 May 2007 11:07:17 -0400
  • Cc: psirt at cisco dot com
  • List-archive: <http://www.apnic.net/mailing-lists/apops>
  • List-help: <mailto:apops-request@apops.net?subject=help>
  • List-id: Asia Pacific Operators Forum <apops.apops.net>
  • List-post: <mailto:apops@apops.net>
  • List-subscribe: <http://mailman.apnic.net/mailman/listinfo/apops>, <mailto:apops-request@apops.net?subject=subscribe>
  • List-unsubscribe: <http://mailman.apnic.net/mailman/listinfo/apops>, <mailto:apops-request@apops.net?subject=unsubscribe>
  • Prevent-nondelivery-report:
  • Sender: nobody@cisco.com
    • Hash: SHA1
      
      
      Cisco Security Advisory: 
      Multiple Vulnerabilities in Cisco IOS While Processing SSL Packets
      
      Advisory ID: cisco-sa-20070522-SSL
      
      http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml
      
      Revision 1.0
      
      For Public Release 2007 May 22 1300 UTC (GMT)
      
      - -------------------------------------------------------------------------------
      
      Summary
      =======
      
      Cisco IOS device may crash while processing malformed Secure Sockets Layer
      (SSL) packets. In order to trigger these vulnerabilities, a malicious client
      must send malformed packets during the SSL protocol exchange with the
      vulnerable device.
      
      Successful repeated exploitation of any of these vulnerabilities may lead to a
      sustained Denial-of-Service (DoS); however, vulnerabilities are not known to
      compromise either the confidentiality or integrity of the data or the device.
      These vulnerabilities are not believed to allow an attacker will not be able to
      decrypt any previusly encrypted information.
      
      Cisco IOS is affected by the following vulnerabilities:
      
        * Processing ClientHello messages, documented as Cisco bug ID CSCsb12598 
        * Processing ChangeCipherSpec messages, documented as Cisco bug ID CSCsb40304
        * Processing Finished messages, documented as Cisco bug ID CSCsd92405 
      
      Cisco has made free software available to address these vulnerabilities for
      affected customers. There are workarounds available to mitigate the effects of
      these vulnerabilities.
      
      This advisory is posted at 
      http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml
      
      Note: Another related advisory has been posted with this advisory. This
      additional advisory also describes a vulnerability related to cryptography that
      affects Cisco IOS. This related advisory is available at the following link:
      http://www.cisco.com/warp/public/707/cisco-sa-20070522-crypto.shtml
      
      A combined software table for Cisco IOS is available to aid customers in
      choosing a software releases that fixes all security vulnerabilities published
      as of May 22, 2007. This software table is available at the following link:
      http://www.cisco.com/warp/public/707/cisco-sa-20070522-cry-bundle.shtml.
      
      Affected Products
      =================
      
      Vulnerable Products
      +------------------
      
      These vulnerabilities affect all Cisco devices running Cisco IOS software
      configured to use the SSL protocol. The following application layer protocols
      in Cisco IOS use SSL:
      
        * Hyper Text Transfer Protocol over SSL (HTTPS). This is the most commonly
          used protocol that employs SSL.
        * Cisco Network Security (CNS) Agent with SSL support
        * Firewall Support of HTTPS Authentication Proxy
        * Cisco IOS Clientless SSL VPN (WebVPN) support
      
      Other protocols that use encryption to provide security but do not use SSL are
      not affected by these vulnerabilities. Specifically, IPSec and Secure Shell
      (SSH) are not affected.
      
      To determine the software running on a Cisco IOS product, log in to the device
      and issue the show version command to display the system banner. Cisco IOS
      software will identify itself as "Internetwork Operating System Software" or
      simply "IOS." On the next line of output, the image name will be displayed
      between parentheses, followed by "Version" and the Cisco IOS release name.
      Other Cisco devices will not have the show version command, or will give
      different output.
      
      Only Cisco IOS images that contain the Crypto Feature Set are vulnerable.
      Customers who are not running an IOS image with crypto support are not exposed
      to this vulnerability.
      
      Cisco IOS feature set naming indicates that IOS images with crypto support have
      'K8' or 'K9' in the feature designator field.
      
      The following example shows output from a device running an IOS image with
      crypto support:
      
          Router>show version
          Cisco IOS Software, 7200 Software (C7200-IK9S-M), Version 12.3(14)T1, RELEASE SOFTWARE (fc1)
          Technical Support: http://www.cisco.com/techsupport
          Copyright (c) 1986-2005 by Cisco Systems, Inc.
          Compiled Thu 31-Mar-05 08:04 by yiyan
      
      
      Since the feature set designator (IK9S) contains 'K9', it can be determine that
      this feature set contains crypto support.
      
      Additional information about Cisco IOS release naming is available at the
      following link: 
      http://www.cisco.com/en/US/products/sw/iosswrel/ps1828/products_white_paper09186a008018305e.shtml.
      
      The following text describes how to recognize if any of the affected services
      are enabled on a device.
      
      Hyper Text Transfer Protocol Over SSL (HTTPS)
      +--------------------------------------------
      
      To determine if a device has HTTPS enabled, enter the command 
      "show run | include ip http". The following example shows output from 
      of a device that has HTTPS enabled:
      
          Router#show run | include secure-server
          ip http secure-server
      
      
      The following example shows output from a device that does not have HTTPS
      enabled:
      
          Router#show run | include secure-server
          no ip http secure-server
      
      
      CNS Agent With SSL Support
      +-------------------------
      
      CNS Agent with SSL support can only be enabled on devices running a Cisco IOS
      image that supports encryption. The following example shows output from a
      device that has CNS Agent configured to support SSL:
      
          Router#show run | include cns config initial
          cns config initial 10.1.1.1 encrypt no-persist
      
      
      If the output does not contain the encrypt keyword the CNS Agent is not
      vulnerable.
      
      Firewall Support of HTTPS Authentication Proxy
      +---------------------------------------------
      
      To determine if a device has authentication proxy for HTTPS enabled, enter the
      command "show ip auth-proxy configuration". The following example shows output
      from a device that has authentication proxy for HTTPS enabled:
      
          Router#show ip auth-proxy configuration
          Authentication cache time is 60 minutes
          Authentication Proxy Rule Configuration
          Auth-proxy name my_pxy
          http list not specified auth-cache-time 1 minutes
      
      
      If the command does not produce any output, authentication proxy for HTTPS is
      not enabled.
      
      Cisco IOS Clientless SSL VPN (WebVPN) Enhanced Support
      +-----------------------------------------------------
      
      To determine if a device has Cisco IOS Clientless SSL VPN (WebVPN) enhanced
      support enabled, enter the command "show webvpn gateway". The following 
      example shows output from a device that has Cisco IOS Clientless SSL VPN 
      (WebVPN) enhanced support enabled:
      
          Router#show webvpn gateway
      
          Gateway Name                       Admin  Operation
          ------------                       -----  ---------
          web-server                         up     up
      
      
      If the command does not produces any output, Cisco IOS Clientless SSL VPN
      (WebVPN) enhanced support is not enabled.
      
      Products Confirmed Not Vulnerable
      +--------------------------------
      
      No other Cisco products are currently known to be affected by these
      vulnerabilities.
      
      Details
      =======
      
      SSL is a protocol designed to provide a secure connection between two hosts.
      The SSL Protocol is described in RFC4346. While not necessary for the
      understanding of this advisory, users are encouraged to consult the section
      "7.3 handshake Protocol Overview" in RFC4346 as well as Figure 1 in the same
      section. The text of the RFC4346 is available at the following link: 
      http://tools.ietf.org/html/rfc4346#section-7.3.
      
      An attacker can trigger these vulnerabilities after establishing a TCP
      connection, but prior to the exchange of authentication credentials, such as
      username/password or certificate. The requirement of the complete TCP 3-way
      handshake reduces the probability that these vulnerabilities will be exploited
      through the use of spoofed IP addresses.
      
      An attacker intercepting traffic between two affected devices cannot exploit
      these vulnerabilities if the SSL session is already established because SSL
      protects against such injection. However, such an attack could abnormally
      terminate an existing session, via a TCP RST, for example. The attacker could
      then wait for a new SSL session to be established and inject malicious packets
      at the beginning of the new SSL session, thus triggering the vulnerability.
      
      Processing ClientHello Messages May Cause Crash
      +----------------------------------------------
      
      A vulnerable device may crash when processing a malformed ClientHello message.
      The ClientHello message is the first to be sent when a client connects to a
      server. It can also be sent after the SSL session is established; in such
      cases, the message is sent within the encrypted tunnel.
      
      This vulnerability is documented as Cisco bug ID CSCsb12598 
      
      Processing ChangeCipherSpec Messages May Cause Crash
      +---------------------------------------------------
      
      A vulnerable device may crash when processing a malformed ChangeCipherSpec
      message. The ChangeCipherSpec message can only be sent after the ClientHello
      and ServerHello messages are exchanged. In most cases, the ChangeCipherSpec
      message is sent within the encrypted tunnel.
      
      This vulnerability is documented as Cisco bug ID CSCsb40304 
      
      Processing Finished Messages May Cause Crash
      +-------------------------------------------
      
      A vulnerable device may crash when processing a malformed Finished message.
      This message can only be sent as a part of a SSL handshake, but not as the
      first message. The Finished message is always sent within the encrypted tunnel.
      
      This vulnerability is documented as Cisco bug ID CSCsd92405
      
      Vulnerability Scoring Details
      +----------------------------
      
      Cisco is providing scores for the vulnerabilities in this advisory based on the
      Common Vulnerability Scoring System (CVSS).
      
      Cisco will provide a base and temporal score. Customers can then compute
      environmental scores to assist in determining the impact of the vulnerability
      in individual networks.
      
      Cisco PSIRT will set the bias in all cases to normal. Customers are encouraged
      to apply the bias parameter when determining the environmental impact of a
      particular vulnerability.
      
      CVSS is a standards based scoring method that conveys vulnerability severity
      and helps determine urgency and priority of response.
      
      Cisco has provided an FAQ to answer additional questions regarding CVSS at
      http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html.
      
      Cisco has also provided a CVSS calculator to help compute
      the environmental impact for individual networks at
      http://intellishield.cisco.com/security/alertmanager/cvss.
      
      Cisco Bug IDs:
      
      CSCsb12598 - Processing ClientHello messages
      
      CVSS Base Score: 3.3
          Access Vector: Remote
          Access Complexity: Low
          Authentication: Not Required
          Confidentiality Impact: None
          Integrity Impact: None
          Availability Impact: Complete
          Impact Bias: Normal
      
      CVSS Temporal Score: 2.7
          Exploitability: Functional
          Remediation Level: Official Fix
          Report Confidence: Confirmed
      
      CSCsb40304 - Processing ChangeCipherSpec messages
      
      CVSS Base Score: 3.3
          Access Vector: Remote
          Access Complexity: Low
          Authentication: Not Required
          Confidentiality Impact: None
          Integrity Impact: None
          Availability Impact: Complete
          Impact Bias: Normal
      
      CVSS Temporal Score: 2.7
          Exploitability: Functional
          Remediation Level: Official Fix
          Report Confidence: Confirmed
      
      
      CSCsd92405 - Processing Finished messages
      
      CVSS Base Score: 3.3
          Access Vector: Remote
          Access Complexity: Low
          Authentication: Not Required
          Confidentiality Impact: None
          Integrity Impact: None
          Availability Impact: Complete
          Impact Bias: Normal
      
      CVSS Temporal Score: 2.7
          Exploitability: Functional
          Remediation Level: Official Fix
          Report Confidence: Confirmed
      
      
      Impact
      ======
      
      Successful exploitation of any vulnerability listed in this advisory may result
      in the crash of the affected device. Repeated exploitation can result in a
      sustained DoS condition.
      
      Software Versions and Fixes
      ===========================
      
      When considering software upgrades, also consult http://www.cisco.com/go/psirt
      and any subsequent advisories to determine exposure and a complete upgrade
      solution.
      
      In all cases, customers should exercise caution to be certain the devices to be
      upgraded contain sufficient memory and that current hardware and software
      configurations will continue to be supported properly by the new release. If
      the information is not clear, contact the Cisco Technical Assistance Center
      ("TAC") or your contracted maintenance provider for assistance.
      
      Each row of the Cisco IOS software table (below) describes a release train. If
      a given release train is vulnerable, then the earliest possible releases that
      contain the fix (the "First Fixed Release") and the anticipated date of
      availability for each are listed in the "Rebuild" and "Maintenance" columns. A
      device running a release in the given train that is earlier than the release in
      a specific column (less than the First Fixed Release) is known to be
      vulnerable. The release should be upgraded at least to the indicated release or
      a later version (greater than or equal to the First Fixed Release label).
      
      For more information on the terms "Rebuild" and "Maintenance," consult the
      following URL: 
      http://www.cisco.com/en/US/products/sw/iosswrel/ps1828/products_white_paper09186a008018305e.shtml
      
      +---------------------------------------------------------------------+
      |      Major Release      |     Availability of Repaired Releases     |
      |-------------------------+-------------------------------------------|
      | Affected 12.0-Based     | Rebuild                     | Maintenance |
      | Release                 |                             |             |
      |-------------------------+-------------------------------------------|
      | 12.0T                   | Vulnerable; migrate to 12.2(46) or later  |
      |-------------------------+-------------------------------------------|
      | 12.0WC                  | 12.0(5)WC17                 |             |
      |-------------------------+-------------------------------------------|
      | 12.0XE                  | Vulnerable; migrate to 12.1(26)E8 or      |
      |                         | later                                     |
      |-------------------------+-------------------------------------------|
      | 12.0XH                  | Vulnerable; migrate to 12.2(46) or later  |
      |-------------------------+-------------------------------------------|
      | 12.0XI                  | Vulnerable; migrate to 12.2(46) or later  |
      |-------------------------+-------------------------------------------|
      | 12.0XK                  | Vulnerable; migrate to 12.2(46) or later  |
      |-------------------------+-------------------------------------------|
      | 12.0XL                  | Vulnerable; migrate to 12.2(46) or later  |
      |-------------------------+-------------------------------------------|
      | 12.0XN                  | Vulnerable; migrate to 12.2(46) or later  |
      |-------------------------+-------------------------------------------|
      | 12.0XQ                  | Vulnerable; migrate to 12.2(46) or later  |
      |-------------------------+-------------------------------------------|
      | 12.0XR                  | Vulnerable; migrate to 12.2(46) or later  |
      |-------------------------+-------------------------------------------|
      | 12.0XV                  | Vulnerable; migrate to 12.2(46) or later  |
      |-------------------------+-------------------------------------------|
      | Affected 12.1-Based     | Rebuild                     | Maintenance |
      | Release                 |                             |             |
      |-------------------------+-------------------------------------------|
      | 12.1                    | Vulnerable; migrate to 12.2(46) or later  |
      |-------------------------+-------------------------------------------|
      | 12.1AY                  | Vulnerable; migrate to 12.1(22)EA9 or     |
      |                         | later                                     |
      |-------------------------+-------------------------------------------|
      | 12.1CX                  | Vulnerable; migrate to 12.2(46) or later  |
      |-------------------------+-------------------------------------------|
      |                         | 12.1(26)E8                  |             |
      | 12.1E                   |-----------------------------+-------------|
      |                         | 12.1(27b)E2; available      |             |
      |                         | 25-June-07                  |             |
      |-------------------------+-----------------------------+-------------|
      | 12.1EA                  | 12.1(22)EA9                 |             |
      |-------------------------+-----------------------------+-------------|
      | 12.1EB                  | 12.1(26)EB2; available      |             |
      |                         | 30-July-07                  |             |
      |-------------------------+-------------------------------------------|
      | 12.1EC                  | Vulnerable; migrate to 12.3(21)BC or      |
      |                         | later                                     |
      |-------------------------+-------------------------------------------|
      | 12.1EW                  | Vulnerable; migrate to 12.2(25)EWA9 or    |
      |                         | later                                     |
      |-------------------------+-------------------------------------------|
      | 12.1EX                  | Vulnerable; migrate to 12.1(26)E8 or      |
      |                         | later                                     |
      |-------------------------+-------------------------------------------|
      | 12.1EY                  | Vulnerable; migrate to 12.1(26)E8 or      |
      |                         | later                                     |
      |-------------------------+-------------------------------------------|
      | 12.1T                   | Vulnerable; migrate to 12.2(46) or later  |
      |-------------------------+-------------------------------------------|
      | 12.1XC                  | Vulnerable; migrate to 12.2(46) or later  |
      |-------------------------+-------------------------------------------|
      | 12.1XD                  | Vulnerable; migrate to 12.2(46) or later  |
      |-------------------------+-------------------------------------------|
      | 12.1XF                  | Vulnerable; migrate 12.3(22) or later     |
      |-------------------------+-------------------------------------------|
      | 12.1XG                  | Vulnerable; migrate 12.3(22) or later     |
      |-------------------------+-------------------------------------------|
      | 12.1XH                  | Vulnerable; migrate to 12.2(46) or later  |
      |-------------------------+-------------------------------------------|
      | 12.1XI                  | Vulnerable; migrate to 12.2(46) or later  |
      |-------------------------+-------------------------------------------|
      | 12.1XJ                  | Vulnerable; migrate to 12.3(22) or later  |
      |-------------------------+-------------------------------------------|
      | 12.1XL                  | 12.1(3a)XL2                 |             |
      |-------------------------+-------------------------------------------|
      | 12.1XM                  | Vulnerable; migrate to 12.3(22) or later  |
      |-------------------------+-------------------------------------------|
      | 12.1XP                  | Vulnerable; migrate to 12.3(22) or later  |
      |-------------------------+-------------------------------------------|
      | 12.1XQ                  | Vulnerable; migrate to 12.3(22) or later  |
      |-------------------------+-------------------------------------------|
      | 12.1XT                  | Vulnerable; migrate to12.3(22) or later   |
      |-------------------------+-------------------------------------------|
      | 12.1XU                  | 12.1(5)XU2                  |             |
      |-------------------------+-------------------------------------------|
      | 12.1YB                  | Vulnerable; migrate to12.3(22) or later   |
      |-------------------------+-------------------------------------------|
      | 12.1YC                  | Vulnerable; migrate to 12.3(22) or later  |
      |-------------------------+-------------------------------------------|
      | 12.1YD                  | Vulnerable; migrate to12.3(22) or later   |
      |-------------------------+-------------------------------------------|
      | 12.1YE                  | Vulnerable; migrate to 12.3(22) or later  |
      |-------------------------+-------------------------------------------|
      | 12.1YF                  | Vulnerable; migrate to 12.3(22) or later  |
      |-------------------------+-------------------------------------------|
      | 12.1YI                  | Vulnerable; migrate to12.3(22) or later   |
      |-------------------------+-------------------------------------------|
      | Affected 12.2-Based     | Rebuild                     | Maintenance |
      | Release                 |                             |             |
      |-------------------------+-----------------------------+-------------|
      | 12.2                    |                             | 12.2(46)    |
      |-------------------------+-------------------------------------------|
      | 12.2B                   | Vulnerable; migrate to 12.4(10) or later  |
      |-------------------------+-------------------------------------------|
      | 12.2BC                  | Vulnerable; migrate to 12.3(17b)BC5 or    |
      |                         | later                                     |
      |-------------------------+-------------------------------------------|
      | 12.2BW                  | Vulnerable; migrate 12.3(22) or later     |
      |-------------------------+-------------------------------------------|
      | 12.2BY                  | Vulnerable; migrate to 12.4(10) or later  |
      |-------------------------+-------------------------------------------|
      | 12.2BZ                  | Vulnerable; contact TAC                   |
      |-------------------------+-------------------------------------------|
      | 12.2CX                  | Vulnerable; migrate to 12.3(21)BC or      |
      |                         | later                                     |
      |-------------------------+-------------------------------------------|
      | 12.2CY                  | Vulnerable; migrate to 12.3(21)BC or      |
      |                         | later                                     |
      |-------------------------+-------------------------------------------|
      | 12.2CZ                  | Vulnerable; contact TAC                   |
      |-------------------------+-------------------------------------------|
      | 12.2DD                  | Vulnerable; migrate to 12.4(10) or later  |
      |-------------------------+-------------------------------------------|
      | 12.2EW                  | Vulnerable; contact TAC                   |
      |-------------------------+-------------------------------------------|
      | 12.2EWA                 | Vulnerable; contact TAC                   |
      |-------------------------+-------------------------------------------|
      | 12.2EX                  | Vulnerable; migrate to 12.2(25)SEE3 or    |
      |                         | later                                     |
      |-------------------------+-------------------------------------------|
      | 12.2EY                  | Vulnerable; migrate to 12.2(35)SE or      |
      |                         | later                                     |
      |-------------------------+-------------------------------------------|
      | 12.2EZ                  | Vulnerable; migrate to 12.2(25)SEE3 or    |
      |                         | later                                     |
      |-------------------------+-------------------------------------------|
      | 12.2FX                  | Vulnerable; migrate to 12.2(25)SEE3 or    |
      |                         | later                                     |
      |-------------------------+-------------------------------------------|
      | 12.2FY                  | Vulnerable; migrate to 12.2(25)SEG2 or    |
      |                         | later                                     |
      |-------------------------+-------------------------------------------|
      | 12.2FZ                  | Vulnerable; migrate to 12.2(35)SE or      |
      |                         | later                                     |
      |-------------------------+-------------------------------------------|
      | 12.2IXA                 | Vulnerable; contact TAC                   |
      |-------------------------+-------------------------------------------|
      | 12.2IXB                 | Vulnerable; contact TAC                   |
      |-------------------------+-------------------------------------------|
      | 12.2JA                  | Vulnerable; migrate to 12.3(11)JA or      |
      |                         | later                                     |
      |-------------------------+-------------------------------------------|
      | 12.2JK                  | Vulnerable; migrate to 12.4(4)T or later  |
      |-------------------------+-------------------------------------------|
      | 12.2S                   | Vulnerable; migrate to 12.2(31)SB2 or     |
      |                         | later                                     |
      |-------------------------+-------------------------------------------|
      | 12.2SB                  | 12.2(31)SB2                 |             |
      |-------------------------+-------------------------------------------|
      | 12.2SBC                 | Vulnerable; migrate to 12.2(31)SB2 or     |
      |                         | later                                     |
      |-------------------------+-------------------------------------------|
      | 12.2SE                  |                             | 12.2(35)SE  |
      |-------------------------+-------------------------------------------|
      | 12.2SEA                 | Vulnerable; migrate to 12.2(25)SEE3 or    |
      |                         | later                                     |
      |-------------------------+-------------------------------------------|
      | 12.2SEB                 | Vulnerable; migrate to 12.2(25)SEE3 or    |
      |                         | later                                     |
      |-------------------------+-------------------------------------------|
      | 12.2SEC                 | Vulnerable; migrate to 12.2(25)SEE3 or    |
      |                         | later                                     |
      |-------------------------+-------------------------------------------|
      | 12.2SED                 | Vulnerable; migrate to 12.2(25)SEE3 or    |
      |                         | later                                     |
      |-------------------------+-------------------------------------------|
      | 12.2SEE                 | 12.2(25)SEE3                |             |
      |-------------------------+-------------------------------------------|
      | 12.2SEF                 | Vulnerable; migrate to 12.2(35)SE or      |
      |                         | later                                     |
      |-------------------------+-------------------------------------------|
      | 12.2SEG                 | 12.2(25)SEG2                |             |
      |-------------------------+-------------------------------------------|
      | 12.2SG                  | 12.2(37)SG                                |
      |-------------------------+-------------------------------------------|
      | 12.2SGA                 | 12.2(31)SGA1                |             |
      |-------------------------+-----------------------------+-------------|
      | 12.2SRA                 | 12.2(33)SRA2                |             |
      |-------------------------+-------------------------------------------|
      | 12.2SU                  | Vulnerable; migrate to 12.4(10) or later  |
      |-------------------------+-------------------------------------------|
      |                         | 12.2(28)SV2                 |             |
      | 12.2SV                  |-----------------------------+-------------|
      |                         | 12.2(29)SV3                 |             |
      |-------------------------+-----------------------------+-------------|
      | 12.2SW                  | 12.2(25)SW8                 |             |
      |-------------------------+-------------------------------------------|
      | 12.2SX                  | Vulnerable; migrate to 12.2(18)SXE6b or   |
      |                         | later                                     |
      |-------------------------+-------------------------------------------|
      | 12.2SXA                 | Vulnerable; migrate to 12.2(18)SXE6b or   |
      |                         | later                                     |
      |-------------------------+-------------------------------------------|
      | 12.2SXB                 | Vulnerable; migrate to 12.2(18)SXE6b or   |
      |                         | later                                     |
      |-------------------------+-------------------------------------------|
      | 12.2SXD                 | Vulnerable; migrate to 12.2(18)SXE6b      |
      |-------------------------+-------------------------------------------|
      | 12.2SXE                 | 12.2(18)SXE6b               |             |
      |-------------------------+-----------------------------+-------------|
      | 12.2SXF                 | 12.2(18)SXF                 |             |
      |-------------------------+-------------------------------------------|
      | 12.2SY                  | Vulnerable; migrate to 12.2(18)SXE6b or   |
      |                         | later                                     |
      |-------------------------+-------------------------------------------|
      | 12.2T                   | Vulnerable; migrate 12.3(22) or later     |
      |-------------------------+-------------------------------------------|
      | 12.2TPC                 | 12.2(8)TPC10b               |             |
      |-------------------------+-------------------------------------------|
      | 12.2XA                  | Vulnerable; migrate to 12.3(22) or later  |
      |-------------------------+-------------------------------------------|
      | 12.2XB                  | Vulnerable; migrate to 12.3(22) or later  |
      |-------------------------+-------------------------------------------|
      | 12.2XD                  | Vulnerable; migrate to 12.3(22) or later  |
      |-------------------------+-------------------------------------------|
      | 12.2XE                  | Vulnerable; migrate to 12.3(22) or later  |
      |-------------------------+-------------------------------------------|
      | 12.2XF                  | Vulnerable; migrate to 12.3(21)BC or      |
      |                         | later                                     |
      |-------------------------+-------------------------------------------|
      | 12.2XG                  | Vulnerable; migrate to 12.3(22) or later  |
      |-------------------------+-------------------------------------------|
      | 12.2XH                  | Vulnerable; migrate to 12.3(22) or later  |
      |-------------------------+-------------------------------------------|
      | 12.2XI                  | Vulnerable; migrate to 12.3(22) or later  |
      |-------------------------+-------------------------------------------|
      | 12.2XJ                  | Vulnerable; migrate to 12.3(22) or later  |
      |-------------------------+-------------------------------------------|
      | 12.2XK                  | Vulnerable; migrate to 12.3(22) or later  |
      |-------------------------+-------------------------------------------|
      | 12.2XL                  | Vulnerable; migrate to 12.3(22) or later  |
      |-------------------------+-------------------------------------------|
      | 12.2XM                  | Vulnerable; migrate to 12.3(22) or later  |
      |-------------------------+-------------------------------------------|
      | 12.2XN                  | Vulnerable; migrate to 12.3(22) or later  |
      |-------------------------+-------------------------------------------|
      | 12.2XQ                  | Vulnerable; migrate to 12.3(22) or later  |
      |-------------------------+-------------------------------------------|
      | 12.2XR                  | Vulnerable; migrate to 12.3(22) or later  |
      |-------------------------+-------------------------------------------|
      | 12.2XS                  | Vulnerable; migrate to 12.3(22) or later  |
      |-------------------------+-------------------------------------------|
      | 12.2XT                  | Vulnerable; migrate to 12.3(22) or later  |
      |-------------------------+-------------------------------------------|
      | 12.2XU                  | Vulnerable; migrate to 12.3(22) or later  |
      |-------------------------+-------------------------------------------|
      | 12.2XV                  | Vulnerable; migrate to 12.3(22) or later  |
      |-------------------------+-------------------------------------------|
      | 12.2XW                  | Vulnerable; migrate to 12.3(22) or later  |
      |-------------------------+-------------------------------------------|
      | 12.2YA                  | Vulnerable; migrate to 12.3(22) or later  |
      |-------------------------+-------------------------------------------|
      | 12.2YB                  | Vulnerable; migrate to 12.3(22) or later  |
      |-------------------------+-------------------------------------------|
      | 12.2YC                  | Vulnerable; migrate to 12.3(22) or later  |
      |-------------------------+-------------------------------------------|
      | 12.2YD                  | Vulnerable; migrate to 12.4(10) or later  |
      |-------------------------+-------------------------------------------|
      | 12.2YE                  | Vulnerable; migrate to 12.2(31)SB2 or     |
      |                         | later                                     |
      |-------------------------+-------------------------------------------|
      | 12.2YF                  | Vulnerable; migrate to 12.3(22) or later  |
      |-------------------------+-------------------------------------------|
      | 12.2YJ                  | Vulnerable; migrate to 12.3(22) or later  |
      |-------------------------+-------------------------------------------|
      | 12.2YL                  | Vulnerable; migrate to 12.4(10) or later  |
      |-------------------------+-------------------------------------------|
      | 12.2YM                  | Vulnerable; migrate to 12.4(10) or later  |
      |-------------------------+-------------------------------------------|
      | 12.2YN                  | Vulnerable; migrate to 12.4(10) or later  |
      |-------------------------+-------------------------------------------|
      | 12.2YQ                  | Vulnerable; migrate to 12.4(10) or later  |
      |-------------------------+-------------------------------------------|
      | 12.2YR                  | Vulnerable; migrate to 12.4(10) or later  |
      |-------------------------+-------------------------------------------|
      | 12.2YU                  | Vulnerable; migrate to 12.4(10) or later  |
      |-------------------------+-------------------------------------------|
      | 12.2YV                  | Vulnerable; migrate to 12.4(10) or later  |
      |-------------------------+-------------------------------------------|
      | 12.2YW                  | Vulnerable; migrate to 12.4(10) or later  |
      |-------------------------+-------------------------------------------|
      | 12.2YX                  | Vulnerable; migrate to 12.4(10) or later  |
      |-------------------------+-------------------------------------------|
      | 12.2YY                  | Vulnerable; migrate to 12.4(10) or later  |
      |-------------------------+-------------------------------------------|
      | 12.2YZ                  | Vulnerable; contact TAC                   |
      |-------------------------+-------------------------------------------|
      | 12.2ZA                  | Vulnerable; migrate to 12.2(18)SXE6b or   |
      |                         | later                                     |
      |-------------------------+-------------------------------------------|
      | 12.2ZB                  | Vulnerable; migrate to 12.4(10) or later  |
      |-------------------------+-------------------------------------------|
      | 12.2ZD                  | Vulnerable; contact TAC                   |
      |-------------------------+-------------------------------------------|
      | 12.2ZE                  | Vulnerable; migrate to 12.3(22) or later  |
      |-------------------------+-------------------------------------------|
      | 12.2ZF                  | Vulnerable; migrate to 12.4(10) or later  |
      |-------------------------+-------------------------------------------|
      | 12.2ZH                  | Vulnerable; contact TAC                   |
      |-------------------------+-------------------------------------------|
      | 12.2ZJ                  | Vulnerable; migrate to 12.4(10) or later  |
      |-------------------------+-------------------------------------------|
      | 12.2ZL                  | Vulnerable; contact TAC                   |
      |-------------------------+-------------------------------------------|
      | 12.2ZN                  | Vulnerable; migrate to 12.4(10) or later  |
      |-------------------------+-------------------------------------------|
      | 12.2ZU                  | Vulnerable; contact TAC                   |
      |-------------------------+-------------------------------------------|
      | 12.2ZV                  | Vulnerable; contact TAC                   |
      |-------------------------+-------------------------------------------|
      | 12.2ZW                  | Vulnerable; contact TAC                   |
      |-------------------------+-------------------------------------------|
      | 12.2ZX                  | Vulnerable; contact TAC                   |
      |-------------------------+-------------------------------------------|
      | Affected 12.3-Based     | Rebuild                     | Maintenance |
      | Release                 |                             |             |
      |-------------------------+-----------------------------+-------------|
      | 12.3                    |                             | 12.3(22)    |
      |-------------------------+-------------------------------------------|
      | 12.3B                   | Vulnerable; migrate to 12.4(10) or later  |
      |-------------------------+-------------------------------------------|
      | 12.3BC                  | 12.3(17b)BC5                | 12.3(21)BC  |
      |-------------------------+-----------------------------+-------------|
      | 12.3JA                  |                             | 12.3(11)JA  |
      |-------------------------+-----------------------------+-------------|
      | 12.3JEA                 |                             | 12.3(8)JEA  |
      |-------------------------+-------------------------------------------|
      | 12.3JK                  | Vulnerable; contact TAC                   |
      |-------------------------+-------------------------------------------|
      | 12.3JX                  | Vulnerable; contact TAC                   |
      |-------------------------+-------------------------------------------|
      | 12.3T                   | Vulnerable; migrate to 12.4(10) or later  |
      |-------------------------+-------------------------------------------|
      | 12.3TPC                 | Vulnerable; contact TAC                   |
      |-------------------------+-------------------------------------------|
      | 12.3XA                  | Vulnerable; contact TAC                   |
      |-------------------------+-------------------------------------------|
      | 12.3XB                  | Vulnerable; migrate to 12.4(10) or later  |
      |-------------------------+-------------------------------------------|
      | 12.3XC                  | Vulnerable; contact TAC                   |
      |-------------------------+-------------------------------------------|
      | 12.3XD                  | Vulnerable; migrate to 12.4(10) or later  |
      |-------------------------+-------------------------------------------|
      | 12.3XE                  | Vulnerable; contact TAC                   |
      |-------------------------+-------------------------------------------|
      | 12.3XF                  | Vulnerable; migrate to 12.4(10) or later  |
      |-------------------------+-------------------------------------------|
      | 12.3XG                  | Vulnerable; contact TAC                   |
      |-------------------------+-------------------------------------------|
      | 12.3XH                  | Vulnerable; migrate to 12.4(10) or later  |
      |-------------------------+-------------------------------------------|
      | 12.3XI                  | Vulnerable; contact TAC                   |
      |-------------------------+-------------------------------------------|
      | 12.3XJ                  | Vulnerable; migrate to 12.4(11)T or later |
      |-------------------------+-------------------------------------------|
      | 12.3XK                  | Vulnerable; contact TAC                   |
      |-------------------------+-------------------------------------------|
      | 12.3XQ                  | Vulnerable; migrate to 12.4(10) or later  |
      |-------------------------+-------------------------------------------|
      | 12.3XR                  | Vulnerable; contact TAC                   |
      |-------------------------+-------------------------------------------|
      | 12.3XS                  | Vulnerable; migrate to 12.4(10) or later  |
      |-------------------------+-------------------------------------------|
      | 12.3XU                  | Vulnerable; migrate to 12.4(11)T or later |
      |-------------------------+-------------------------------------------|
      | 12.3XW                  | Vulnerable; migrate to 12.4(11)T or later |
      |-------------------------+-------------------------------------------|
      | 12.3XX                  | 12.3(8)XX2d                 |             |
      |-------------------------+-------------------------------------------|
      | 12.3YA                  | Vulnerable; contact TAC                   |
      |-------------------------+-------------------------------------------|
      | 12.3YD                  | Vulnerable; migrate to 12.4(11)T or later |
      |-------------------------+-------------------------------------------|
      | 12.3YF                  | Vulnerable; migrate to 12.4(11)T or later |
      |-------------------------+-------------------------------------------|
      | 12.3YG                  | Vulnerable; migrate to 12.4(11)T or later |
      |-------------------------+-------------------------------------------|
      | 12.3YH                  | Vulnerable; migrate to 12.4(11)T or later |
      |-------------------------+-------------------------------------------|
      | 12.3YI                  | Vulnerable; migrate to 12.4(11)T or later |
      |-------------------------+-------------------------------------------|
      | 12.3YK                  | Vulnerable; migrate to 12.4(11)T or later |
      |-------------------------+-------------------------------------------|
      | 12.3YQ                  | Vulnerable; migrate to 12.4(11)T or later |
      |-------------------------+-------------------------------------------|
      | 12.3YS                  | Vulnerable; migrate to 12.4(11)T or later |
      |-------------------------+-------------------------------------------|
      | 12.3YT                  | Vulnerable; migrate to 12.4(11)T or later |
      |-------------------------+-------------------------------------------|
      | 12.3YU                  | Vulnerable; contact TAC                   |
      |-------------------------+-------------------------------------------|
      | 12.3YX                  | Vulnerable; migrate to 12.4(11)T or later |
      |-------------------------+-------------------------------------------|
      | 12.3YZ                  | Vulnerable; contact TAC                   |
      |-------------------------+-------------------------------------------|
      | Affected 12.4-Based     | Rebuild                     | Maintenance |
      | Release                 |                             |             |
      |-------------------------+-----------------------------+-------------|
      | 12.4                    |                             | 12.4(10)    |
      |-------------------------+-----------------------------+-------------|
      | 12.4T                   |                             | 12.4(11)T   |
      |-------------------------+-------------------------------------------|
      | 12.4XA                  | Vulnerable; contact TAC                   |
      |-------------------------+-------------------------------------------|
      | 12.4XB                  | Vulnerable; contact TAC                   |
      |-------------------------+-------------------------------------------|
      | 12.4XC                  | 12.4(4)XC6                  |             |
      |-------------------------+-----------------------------+-------------|
      | 12.4XD                  | 12.4(4)XD5                  |             |
      |-------------------------+-------------------------------------------|
      | 12.4XE                  | Vulnerable; contact TAC                   |
      |-------------------------+-------------------------------------------|
      | 12.4XP                  | Vulnerable; contact TAC                   |
      |-------------------------+-------------------------------------------|
      | 12.4XT                  | Vulnerable; contact TAC                   |
      +---------------------------------------------------------------------+
      
      Workarounds
      ===========
      
      The only way to prevent a device from being susceptible to the listed
      vulnerabilities is to disable the affected service(s). However, if regular
      maintenance and operation of the device relies on these services, there is no
      workaround.
      
      It is possible to mitigate these vulnerabilities by preventing unauthorized
      hosts from accessing affected devices. Additional mitigations that can be
      deployed on Cisco devices within the network are available in the Cisco Applied
      Intelligence companion document for this advisory. This companion document is
      available at the following link: 
      http://www.cisco.com/warp/public/707/cisco-air-20070522-SSL.shtml
      
      Control Plane Policing (CoPP)
      +----------------------------
      
      Control Plane Policing: IOS software versions that support Control Plane
      Policing (CoPP) can be configured to help protect the device from attacks that
      target the management and control planes. CoPP is available in Cisco IOS
      release trains 12.0S, 12.2SX, 12.2S, 12.3T, 12.4, and 12.4T.
      
      In the following CoPP example, the ACL entries that match the exploit packets
      with the permit action will be discarded by the policy-map drop function, while
      packets that match a "deny" action (not shown) are not affected by the
      policy-map drop function:
      
          ! Include deny statements up front for any protocols/ports/IP addresses that
          !-- should not be impacted by CoPP
      
          ! Include permit statements for the protocols/ports that will be governed by CoPP
          access-list 100 permit tcp any any eq 443
      
          !-- Permit (Police or Drop)/Deny (Allow) all other Layer3 and Layer4
          !-- traffic in accordance with existing security policies and
          !-- configurations for traffic that is authorized to be sent
          !-- to infrastructure devices.
          !
          !-- Create a Class-Map for traffic to be policed by
          !-- the CoPP feature.
          !
          class-map match-all drop-SSL-class
           match access-group 100
      
          !
          !-- Create a Policy-Map that will be applied to the
          !-- Control-Plane of the device.
          !
          policy-map drop-SSL-policy
           class drop-SSL-class
             drop
      
          !-- Apply the Policy-Map to the Control-Plane of the
          !-- device.
          !
          control-plane
           service-policy input drop-SSL-policy
      
      
      Please note that in the 12.0S, 12.2S, and 12.2SX Cisco IOS trains, the
      policy-map syntax is different, as demonstrated by the following:
      
          policy-map drop-SSL-policy
           class drop-SSL-class
           police 32000 1500 1500 conform-action drop exceed-action drop
      
      
      NOTE: In the above CoPP example, the ACL entries with the "permit" action that
      match the exploit packets result in the discarding of those packets by the
      policy-map drop function, while packets that match the "deny" action are not
      affected by the policy-map drop function.
      
      Additional information on the configuration and use of the CoPP feature 
      is available at the following links: 
      http://www.cisco.com/en/US/products/ps6642/products_white_paper0900aecd804fa16a.shtml
      and 
      http://www.cisco.com/en/US/products/sw/iosswrel/ps1838/products_feature_guide09186a008052446b.html
      
      Access Control List (ACL)
      +------------------------
      
      An Access Control List (ACL) can be used to help mitigate attacks targeting
      these vulnerabilities. ACLs can specify that only packets from legitimate
      sources are permitted to reach a device, and all others are to be dropped. The
      following example shows how to allow legitimate SSL sessions from trusted
      sources and deny all other SSL sessions:
      
          access-list 101 permit tcp host <legitimate_host_IP_address> host <router_IP_address> port 443
          access-list 101 deny tcp any any port 443
      
      
      Obtaining Fixed Software
      ========================
      
      Cisco has made free software available to address this vulnerability for
      affected customers. Prior to deploying software, customers should consult their
      maintenance provider or check the software for feature set compatibility and
      known issues specific to their environment.
      
      Customers may only install and expect support for the feature sets they have
      purchased. By installing, downloading, accessing or otherwise using such
      software upgrades, customers agree to be bound by the terms of Cisco's software
      license terms found at http://www.cisco.com/public/sw-license-agreement.html,
      or as otherwise set forth at Cisco.com Downloads at
      http://www.cisco.com/public/sw-center/sw-usingswc.shtml.
      
      Do not contact either "psirt at cisco dot com" or "security-alert at cisco dot com" for
      software upgrades.
      
      Customers with Service Contracts
      +-------------------------------
      
      Customers with contracts should obtain upgraded software through their
      regular update channels. For most customers, this means that upgrades
      should be obtained through the Software Center on Cisco's worldwide
      website at http://www.cisco.com.
      
      Customers using Third-party Support Organizations
      +------------------------------------------------
      
      Customers whose Cisco products are provided or maintained through prior or
      existing agreement with third-party support organizations such as Cisco
      Partners, authorized resellers, or service providers should contact that
      support organization for guidance and assistance with the appropriate course of
      action in regards to this advisory.
      
      The effectiveness of any workaround or fix is dependent on specific customer
      situations such as product mix, network topology, traffic behavior, and
      organizational mission. Due to the variety of affected products and releases,
      customers should consult with their service provider or support organization to
      ensure any applied workaround or fix is the most appropriate for use in the
      intended network before it is deployed.
      
      Customers without Service Contracts
      +----------------------------------
      
      Customers who purchase direct from Cisco but who do not hold a Cisco service
      contract and customers who purchase through third-party vendors but are
      unsuccessful at obtaining fixed software through their point of sale should get
      their upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC
      contacts are as follows.
      
        * +1 800 553 2447 (toll free from within North America)
        * +1 408 526 7209 (toll call from anywhere in the world)
        * e-mail: tac at cisco dot com
      
      Have your product serial number available and give the URL of this notice as
      evidence of your entitlement to a free upgrade. Free upgrades for non-contract
      customers must be requested through the TAC.
      
      Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for
      additional TAC contact information, including special localized telephone
      numbers and instructions and e-mail addresses for use in various languages.
      
      Exploitation and Public Announcements
      =====================================
      
      The Cisco PSIRT is not aware of any public announcements or malicious use of
      the vulnerabilities described in this Advisory.
      
      These vulnerabilities were discovered by Cisco during internal testing.
      
      Status of This Notice: FINAL
      ============================
      
      THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF
      GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS
      FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS
      LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO
      CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
      
      A stand-alone copy or Paraphrase of the text of this document that omits the
      distribution URL in the following section is an uncontrolled copy, and may lack
      important information or contain factual errors.
      
      Distribution
      ============
      
      This advisory is posted on Cisco's worldwide website at 
      http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml.
      
      In addition to worldwide web posting, a text version of this notice is
      clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail
      and Usenet news recipients.
      
        * cust-security-announce at cisco dot com
        * first-teams at first dot org
        * bugtraq at securityfocus dot com
        * vulnwatch at vulnwatch dot org
        * cisco at spot dot colorado dot edu
        * cisco-nsp at puck dot nether dot net
        * full-disclosure at lists.grok dot org dot uk
        * comp.dcom.sys.cisco at newsgate dot cisco dot com
      
      Future updates of this advisory, if any, will be placed on Cisco's worldwide
      website, but may or may not be actively announced on mailing lists or
      newsgroups. Users concerned about this problem are encouraged to check the
      above URL for any updates.
      
      Revision History
      ================
      
      +---------------------------------------------------------------------+
      | Revision 1.0     | 2007-May-22     | Initial public release.        |
      +---------------------------------------------------------------------+
      
      Cisco Security Procedures
      =========================
      
      Complete information on reporting security vulnerabilities in Cisco products,
      obtaining assistance with security incidents, and registering to receive
      security information from Cisco, is available on Cisco's worldwide website at
      http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
      This includes instructions for press inquiries regarding Cisco security
      notices. All Cisco security advisories are available at 
      http://www.cisco.com/go/psirt.
      
      - -------------------------------------------------------------------------------
      All contents are Copyright 2006-2007 Cisco Systems, Inc. All rights reserved.
      - -------------------------------------------------------------------------------
      
      Updated: May 22, 2007                                        Document ID: 91888
      
      - -------------------------------------------------------------------------------
      -----BEGIN PGP SIGNATURE-----
      Version: GnuPG v1.4.2.2 (GNU/Linux)
      
      iD8DBQFGUv7w8NUAbBmDaxQRAt2eAJ9HfpjbjdXCbden9C3cegJgptT6fgCgscZ4
      Ce+S5/oA5GrNfmtT4Taqm20=
      =IRzP
      -----END PGP SIGNATURE-----