__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Multiple Vulnerabilities in Cisco IOS while Processing SSL Packets [Cisco Security Advisory Document ID: 91888] May 23, 2007 18:00 GMT Number R-246 [REVISED 29 June 2007] ______________________________________________________________________________ PROBLEM: Cisco IOS device may crash while processing malformed Secure Sockets Layer (SSL) packets. PLATFORM: Hyper Text Transfer Protocol over SSL (HTTPS). This is the most commonly used protocol that employs SSL. Cisco Network Security (CNS) Agent with SSL support Firewall Support of HTTPS Authentication Proxy Cisco IOS Clientless SSL VPN (WebVPN) support DAMAGE: Successful exploitation of any vulnerability listed in this advisory may result in the crash of the affected device. SOLUTION: Upgrade to the appropriate version. ______________________________________________________________________________ VULNERABILITY The risk is LOW. Successful exploitation of any vulnerability ASSESSMENT: listed in this advisory may result in the crash of the affected device. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/r-246.shtml ORIGINAL BULLETIN: http://www.cisco.com/en/US/products/products_security_ advisory09186a0080847c49.shtml ADDITIONAL LINK: http://www.cisco.com/en/US/products/products_applied_ intelligence_response09186a0080847c7e.html ______________________________________________________________________________ REVISION HISTORY: 06/29/2007 - revised R-246 to add a link to Cisco Document ID: 82199 for Cisco IOS while processing SSL paackets. [***** Start Cisco Security Advisory Document ID: 91888 *****] Cisco Security Advisory: Multiple Vulnerabilities in Cisco IOS While Processing SSL Packets Document ID: 91888 Advisory ID: cisco-sa-20070522-SSL http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml Revision 1.0 For Public Release 2007 May 22 1300 UTC (GMT) -------------------------------------------------------------------------------- -------------------------------------------------------------------------------- Contents Summary Affected Products Details Impact Software Versions and Fixes Workarounds Obtaining Fixed Software Exploitation and Public Announcements Status of This Notice: FINAL Distribution Revision History Cisco Security Procedures -------------------------------------------------------------------------------- Summary Cisco IOS device may crash while processing malformed Secure Sockets Layer (SSL) packets. In order to trigger these vulnerabilities, a malicious client must send malformed packets during the SSL protocol exchange with the vulnerable device. Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker to decrypt any previously encrypted information. Cisco IOS is affected by the following vulnerabilities: Processing ClientHello messages, documented as Cisco bug ID CSCsb12598 ( registered customers only) Processing ChangeCipherSpec messages, documented as Cisco bug ID CSCsb40304 ( registered customers only) Processing Finished messages, documented as Cisco bug ID CSCsd92405 ( registered customers only) Cisco has made free software available to address these vulnerabilities for affected customers. There are workarounds available to mitigate the effects of these vulnerabilities. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml Note: Another related advisory has been posted with this advisory. This additional advisory also describes a vulnerability related to cryptography that affects Cisco IOS. This related advisory is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-crypto.shtml A combined software table for Cisco IOS is available to aid customers in choosing a software releases that fixes all security vulnerabilities published as of May 22, 2007. This software table is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-cry-bundle.shtml. Affected Products Vulnerable Products These vulnerabilities affect all Cisco devices running Cisco IOS software configured to use the SSL protocol. The following application layer protocols in Cisco IOS use SSL: Hyper Text Transfer Protocol over SSL (HTTPS). This is the most commonly used protocol that employs SSL. Cisco Network Security (CNS) Agent with SSL support Firewall Support of HTTPS Authentication Proxy Cisco IOS Clientless SSL VPN (WebVPN) support Other protocols that use encryption to provide security but do not use SSL are not affected by these vulnerabilities. Specifically, IPSec and Secure Shell (SSH) are not affected. To determine the software running on a Cisco IOS product, log in to the device and issue the show version command to display the system banner. Cisco IOS software will identify itself as "Internetwork Operating System Software" or simply "IOS." On the next line of output, the image name will be displayed between parentheses, followed by "Version" and the Cisco IOS release name. Other Cisco devices will not have the show version command, or will give different output. Only Cisco IOS images that contain the Crypto Feature Set are vulnerable. Customers who are not running an IOS image with crypto support are not exposed to this vulnerability. Cisco IOS feature set naming indicates that IOS images with crypto support have 'K8' or 'K9' in the feature designator field. The following example shows output from a device running an IOS image with crypto support: Router>show version Cisco IOS Software, 7200 Software (C7200-IK9S-M), Version 12.3(14)T1, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2005 by Cisco Systems, Inc. Compiled Thu 31-Mar-05 08:04 by yiyan Since the feature set designator (IK9S) contains 'K9', it can be determine that this feature set contains crypto support. Additional information about Cisco IOS release naming is available at the following link: http://www.cisco.com/en/US/products/sw/iosswrel/ps1828/product s_white_paper09186a008018305e.shtml. The following text describes how to recognize if any of the affected services are enabled on a device. Hyper Text Transfer Protocol Over SSL (HTTPS) To determine if a device has HTTPS enabled, enter the command show run | include ip http. The following example shows output from of a device that has HTTPS enabled: Router#show run | include secure-server ip http secure-server The following example shows output from a device that does not have HTTPS enabled: Router#show run | include secure-server no ip http secure-server CNS Agent With SSL Support CNS Agent with SSL support can only be enabled on devices running a Cisco IOS image that supports encryption. The following example shows output from a device that has CNS Agent configured to support SSL: Router#show run | include cns config initial cns config initial 10.1.1.1 encrypt no-persist If the output does not contain the encrypt keyword the CNS Agent is not vulnerable. Firewall Support of HTTPS Authentication Proxy To determine if a device has authentication proxy for HTTPS enabled, enter the command show ip auth-proxy configuration. The following example shows output from a device that has authentication proxy for HTTPS enabled: Router#show ip auth-proxy configuration Authentication cache time is 60 minutes Authentication Proxy Rule Configuration Auth-proxy name my_pxy http list not specified auth-cache-time 1 minutes If the command does not produce any output, authentication proxy for HTTPS is not enabled. Cisco IOS Clientless SSL VPN (WebVPN) Enhanced Support To determine if a device has Cisco IOS Clientless SSL VPN (WebVPN) enhanced support enabled, enter the command show webvpn gateway. The following example shows output from a device that has Cisco IOS Clientless SSL VPN (WebVPN) enhanced support enabled: Router#show webvpn gateway Gateway Name Admin Operation ------------ ----- --------- web-server up up If the command does not produces any output, Cisco IOS Clientless SSL VPN (WebVPN) enhanced support is not enabled. Products Confirmed Not Vulnerable No other Cisco products are currently known to be affected by these vulnerabilities. Details SSL is a protocol designed to provide a secure connection between two hosts. The SSL Protocol is described in RFC4346. While not necessary for the understanding of this advisory, users are encouraged to consult the section "7.3 handshake Protocol Overview" in RFC4346 as well as Figure 1 in the same section. The text of the RFC4346 is available at the following link: http://tools.ietf.org/html/rfc4346#section-7.3. An attacker can trigger these vulnerabilities after establishing a TCP connection, but prior to the exchange of authentication credentials, such as username/password or certificate. The requirement of the complete TCP 3-way handshake reduces the probability that these vulnerabilities will be exploited through the use of spoofed IP addresses. An attacker intercepting traffic between two affected devices cannot exploit these vulnerabilities if the SSL session is already established because SSL protects against such injection. However, such an attack could abnormally terminate an existing session, via a TCP RST, for example. The attacker could then wait for a new SSL session to be established and inject malicious packets at the beginning of the new SSL session, thus triggering the vulnerability. Processing ClientHello Messages May Cause Crash A vulnerable device may crash when processing a malformed ClientHello message. The ClientHello message is the first to be sent when a client connects to a server. It can also be sent after the SSL session is established; in such cases, the message is sent within the encrypted tunnel. This vulnerability is documented as Cisco bug ID CSCsb12598 ( registered customers only) Processing ChangeCipherSpec Messages May Cause Crash A vulnerable device may crash when processing a malformed ChangeCipherSpec message. The ChangeCipherSpec message can only be sent after the ClientHello and ServerHello messages are exchanged. In most cases, the ChangeCipherSpec message is sent within the encrypted tunnel. This vulnerability is documented as Cisco bug ID CSCsb40304 ( registered customers only) Processing Finished Messages May Cause Crash A vulnerable device may crash when processing a malformed Finished message. This message can only be sent as a part of a SSL handshake, but not as the first message. The Finished message is always sent within the encrypted tunnel. This vulnerability is documented as Cisco bug ID CSCsd92405 ( registered customers only) Vulnerability Scoring Details Cisco is providing scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). Cisco will provide a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco PSIRT will set the bias in all cases to normal. Customers are encouraged to apply the bias parameter when determining the environmental impact of a particular vulnerability. CVSS is a standards based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided an FAQ to answer additional questions regarding CVSS at http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html. Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss. CSCsb12598 - Processing ClientHello messages Calculate the environmental score of CSCsb12598 CVSS Base Score - 3.3 Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact Impact Bias Remote Low Not Required None None Complete Normal Temporal Score - 2.7 Exploitability Remediation Level Report Confidence Functional Official Fix Confirmed CSCsb40304 - Processing ChangeCipherSpec messages Calculate the environmental score of CSCsb40304 CVSS Base Score - 3.3 Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact Impact Bias Remote Low Not Required None None Complete Normal Temporal Score - 2.7 Exploitability Remediation Level Report Confidence Functional Official Fix Confirmed CSCsd92405 - Processing Finished messages Calculate the environmental score of CSCsd92405 CVSS Base Score - 3.3 Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact Impact Bias Remote Low Not Required None None Complete Normal Temporal Score - 2.7 Exploitability Remediation Level Report Confidence Functional Official Fix Confirmed Impact Successful exploitation of any vulnerability listed in this advisory may result in the crash of the affected device. Repeated exploitation can result in a sustained DoS condition. Software Versions and Fixes When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center ("TAC") or your contracted maintenance provider for assistance. Each row of the Cisco IOS software table (below) describes a release train. If a given release train is vulnerable, then the earliest possible releases that contain the fix (the "First Fixed Release") and the anticipated date of availability for each are listed in the "Rebuild" and "Maintenance" columns. A device running a release in the given train that is earlier than the release in a specific column (less than the First Fixed Release) is known to be vulnerable. The release should be upgraded at least to the indicated release or a later version (greater than or equal to the First Fixed Release label). For more information on the terms "Rebuild" and "Maintenance," consult the following URL: http://www.cisco.com/en/US/products/sw/iosswrel/ps1828/products_ white_paper09186a008018305e.shtml Major Release Availability of Repaired Releases Affected 12.0-Based Release Rebuild Maintenance 12.0T Vulnerable; migrate to 12.2(46) or later 12.0WC 12.0(5)WC17 12.0XE Vulnerable; migrate to 12.1(26)E8 or later 12.0XH Vulnerable; migrate to 12.2(46) or later 12.0XI Vulnerable; migrate to 12.2(46) or later 12.0XK Vulnerable; migrate to 12.2(46) or later 12.0XL Vulnerable; migrate to 12.2(46) or later 12.0XN Vulnerable; migrate to 12.2(46) or later 12.0XQ Vulnerable; migrate to 12.2(46) or later 12.0XR Vulnerable; migrate to 12.2(46) or later 12.0XV Vulnerable; migrate to 12.2(46) or later Affected 12.1-Based Release Rebuild Maintenance 12.1 Vulnerable; migrate to 12.2(46) or later 12.1AY Vulnerable; migrate to 12.1(22)EA9 or later 12.1CX Vulnerable; migrate to 12.2(46) or later 12.1E 12.1(26)E8 12.1(27b)E2; available 25-June-07 12.1EA 12.1(22)EA9 12.1EB 12.1(26)EB2; available 30-July-07 12.1EC Vulnerable; migrate to 12.3(21)BC or later 12.1EW Vulnerable; migrate to 12.2(25)EWA9 or later 12.1EX Vulnerable; migrate to 12.1(26)E8 or later 12.1EY Vulnerable; migrate to 12.1(26)E8 or later 12.1T Vulnerable; migrate to 12.2(46) or later 12.1XC Vulnerable; migrate to 12.2(46) or later 12.1XD Vulnerable; migrate to 12.2(46) or later 12.1XF Vulnerable; migrate 12.3(22) or later 12.1XG Vulnerable; migrate 12.3(22) or later 12.1XH Vulnerable; migrate to 12.2(46) or later 12.1XI Vulnerable; migrate to 12.2(46) or later 12.1XJ Vulnerable; migrate to 12.3(22) or later 12.1XL Vulnerable; migrate to 12.3(22) or later 12.1XM Vulnerable; migrate to 12.3(22) or later 12.1XP Vulnerable; migrate to 12.3(22) or later 12.1XQ Vulnerable; migrate to 12.3(22) or later 12.1XT Vulnerable; migrate to12.3(22) or later 12.1XU Vulnerable; migrate to12.3(22) or later 12.1YB Vulnerable; migrate to12.3(22) or later 12.1YC Vulnerable; migrate to 12.3(22) or later 12.1YD Vulnerable; migrate to12.3(22) or later 12.1YE Vulnerable; migrate to 12.3(22) or later 12.1YF Vulnerable; migrate to 12.3(22) or later 12.1YI Vulnerable; migrate to12.3(22) or later Affected 12.2-Based Release Rebuild Maintenance 12.2 12.2(40a) 12.2(46) 12.2B Vulnerable; migrate to 12.4(10) or later 12.2BC Vulnerable; migrate to 12.3(21)BC or later 12.2BW Vulnerable; migrate 12.3(22) or later 12.2BY Vulnerable; migrate to 12.4(10) or later 12.2BZ Vulnerable; contact TAC 12.2CX Vulnerable; migrate to 12.3(21)BC or later 12.2CY Vulnerable; migrate to 12.3(21)BC or later 12.2CZ Vulnerable; contact TAC 12.2DD Vulnerable; migrate to 12.4(10) or later 12.2EW Vulnerable; migrate to 12.2(25)EWA9 or later 12.2EWA 12.2(25)EWA9 12.2EX Vulnerable; migrate to 12.2(25)SEE3 or later 12.2EY Vulnerable; migrate to 12.2(25)SEE3 or later 12.2EZ Vulnerable; migrate to 12.2(25)SEE3 or later 12.2FX Vulnerable; migrate to 12.2(25)SEE3 or later 12.2FY Vulnerable; migrate to 12.2(25)SEG2 or later 12.2FZ Vulnerable; migrate to 12.2(35)SE or later 12.2IXA Vulnerable; migrate to 12.2(18)IXD or later 12.2IXB Vulnerable; migrate to 12.2(18)IXD or later 12.2JA Vulnerable; migrate to 12.3(11)JA or later 12.2JK Vulnerable; migrate to 12.4(11)T or later 12.2S 12.2(14)S13a 12.2(25)S12 12.2(18)S0a 12.2(20)S9a 12.2SB 12.2(28)SB4b 12.2(31)SB2 12.2SBC Vulnerable; migrate to 12.2(31)SB2 or later 12.2SE 12.2(35)SE 12.2SEA Vulnerable; migrate to 12.2(25)SEE3 or later 12.2SEB Vulnerable; migrate to 12.2(25)SEE3 or later 12.2SEC Vulnerable; migrate to 12.2(25)SEE3 or later 12.2SED Vulnerable; migrate to 12.2(25)SEE3 or later 12.2SEE 12.2(25)SEE3 12.2SEF Vulnerable; contact TAC 12.2SEG 12.2(25)SEG2 12.2SG 12.2(37)SG 12.2SGA 12.2(31)SGA2; available 11-June-2007 12.2SRA 12.2(33)SRA2 12.2SU Vulnerable; migrate to 12.4(10) or later 12.2SV 12.2(28)SV2 12.2(29)SV3 12.2SW 12.2(25)SW9 12.2SX Vulnerable; migrate to 12.2(18)SXE6a or later 12.2SXA Vulnerable; migrate to 12.2(18)SXE6a or later 12.2SXB Vulnerable; migrate to 12.2(18)SXE6a or later 12.2SXD Vulnerable; migrate to 12.2(18)SXE6a 12.2SXE 12.2(18)SXE6a 12.2SXF 12.2(18)SXF7 12.2SY Vulnerable; migrate to 12.2(18)SXE6a or later 12.2T Vulnerable; migrate 12.3(22) or later 12.2TPC 12.2(8)TPC10b 12.2XA Vulnerable; migrate to 12.3(22) or later 12.2XB Vulnerable; migrate to 12.3(22) or later 12.2XD Vulnerable; migrate to 12.3(22) or later 12.2XE Vulnerable; migrate to 12.3(22) or later 12.2XF Vulnerable; migrate to 12.3(21)BC or later 12.2XG Vulnerable; migrate to 12.3(22) or later 12.2XH Vulnerable; migrate to 12.3(22) or later 12.2XI Vulnerable; migrate to 12.3(22) or later 12.2XJ Vulnerable; migrate to 12.3(22) or later 12.2 XK Vulnerable; migrate to 12.3(22) or later 12.2XL Vulnerable; migrate to 12.3(22) or later 12.2XM Vulnerable; migrate to 12.3(22) or later 12.2XN Vulnerable; migrate to 12.3(22) or later 12.2XQ Vulnerable; migrate to 12.3(22) or later 12.2XR Vulnerable; migrate to 12.3(22) or later 12.2XS Vulnerable; migrate to 12.3(22) or later 12.2XT Vulnerable; migrate to 12.3(22) or later 12.2XU Vulnerable; migrate to 12.3(22) or later 12.2XV Vulnerable; migrate to 12.3(22) or later 12.2XW Vulnerable; migrate to 12.3(22) or later 12.2YA Vulnerable; migrate to 12.3(22) or later 12.2YB Vulnerable; migrate to 12.3(22) or later 12.2YC Vulnerable; migrate to 12.3(22) or later 12.2YD Vulnerable; migrate to 12.4(10) or later 12.2YE Vulnerable; migrate to 12.2(25)S12 or later 12.2YF Vulnerable; migrate to 12.3(22) or later 12.2YJ Vulnerable; migrate to 12.3(22) or later 12.2YL Vulnerable; migrate to 12.4(10) or later 12.2YM Vulnerable; migrate to 12.4(10) or later 12.2YN Vulnerable; migrate to 12.4(10) or later 12.2YQ Vulnerable; migrate to 12.4(10) or later 12.2YR Vulnerable; migrate to 12.4(10) or later 12.2YU Vulnerable; migrate to 12.4(10) or later 12.2YV Vulnerable; migrate to 12.4(10) or later 12.2YW Vulnerable; migrate to 12.4(10) or later 12.2YX Vulnerable; migrate to 12.4(10) or later 12.2YY Vulnerable; migrate to 12.4(10) or later 12.2YZ Vulnerable; contact TAC 12.2ZA Vulnerable; migrate to 12.2(18)SXE6a or later 12.2ZB Vulnerable; migrate to 12.4(10) or later 12.2ZD Vulnerable; contact TAC 12.2ZE Vulnerable; migrate to 12.3(22) or later 12.2ZF Vulnerable; migrate to 12.4(10) or later 12.2ZH Vulnerable; contact TAC 12.2ZJ Vulnerable; migrate to 12.4(10) or later 12.2ZL Vulnerable; contact TAC 12.2ZN Vulnerable; migrate to 12.4(10) or later 12.2ZU Vulnerable; contact TAC 12.2ZV Vulnerable; contact TAC 12.2ZW Vulnerable; contact TAC 12.2ZX Vulnerable; contact TAC Affected 12.3-Based Release Rebuild Maintenance 12.3 12.3(21a) 12.3(22) 12.3B Vulnerable; migrate to 12.4(10) or later 12.3BC 12.3(17b)BC5 12.3(21)BC 12.3JA 12.3(11)JA 12.3JEA 12.3(8)JEA 12.3JK Vulnerable; contact TAC 12.3JX Vulnerable; contact TAC 12.3T Vulnerable; migrate to 12.4(10) or later 12.3TPC Vulnerable; contact TAC 12.3XA Vulnerable; contact TAC 12.3XB Vulnerable; migrate to 12.4(10) or later 12.3XC Vulnerable; contact TAC 12.3XD Vulnerable; migrate to 12.4(10) or later 12.3XE Vulnerable; contact TAC 12.3XF Vulnerable; migrate to 12.4(10) or later 12.3XG Vulnerable; contact TAC 12.3XH Vulnerable; migrate to 12.4(10) or later 12.3XI Vulnerable; contact TAC 12.3XJ Vulnerable; migrate to 12.4(11)T or later 12.3XK Vulnerable; contact TAC 12.3XQ Vulnerable; migrate to 12.4(10) or later 12.3XR Vulnerable; contact TAC 12.3XS Vulnerable; migrate to 12.4(10) or later 12.3XU Vulnerable; migrate to 12.4(11)T or later 12.3XW Vulnerable; migrate to 12.4(11)T or later 12.3XX 12.3(8)XX2d 12.3YA Vulnerable; contact TAC 12.3YD Vulnerable; migrate to 12.4(11)T or later 12.3YF Vulnerable; migrate to 12.4(11)T or later 12.3YG Vulnerable; migrate to 12.4(11)T or later 12.3YH Vulnerable; migrate to 12.4(11)T or later 12.3YI Vulnerable; migrate to 12.4(11)T or later 12.3YK Vulnerable; migrate to 12.4(11)T or later 12.3YQ Vulnerable; migrate to 12.4(11)T or later 12.3YS Vulnerable; migrate to 12.4(11)T or later 12.3YT Vulnerable; migrate to 12.4(11)T or later 12.3YU Vulnerable; contact TAC 12.3YX Vulnerable; migrate to 12.4(11)T or later 12.3YZ Vulnerable; contact TAC Affected 12.4-Based Release Rebuild Maintenance 12.4 12.4(3g) 12.4(10) 12.4(7d) 12.4(8c) 12.4T 12.4(4)T6 12.4(11)T 12.4(6)T7 12.4(9)T3 12.4XA Vulnerable; contact TAC 12.4XB Vulnerable; contact TAC 12.4XC 12.4(4)XC4 12.4XD 12.4(4)XD5 12.4XE Vulnerable; contact TAC 12.4XP Vulnerable; contact TAC 12.4XT Vulnerable; contact TAC Workarounds The only way to prevent a device from being susceptible to the listed vulnerabilities is to disable the affected service(s). However, if regular maintenance and operation of the device relies on these services, there is no workaround. It is possible to mitigate these vulnerabilities by preventing unauthorized hosts from accessing affected devices. Additional mitigations that can be deployed on Cisco devices within the network are available in the Cisco Applied Intelligence companion document for this advisory. This companion document is available at the following link: http://www.cisco.com/warp/public/707/cisco-air-20070522-SSL.shtml Control Plane Policing (CoPP) Control Plane Policing: IOS software versions that support Control Plane Policing (CoPP) can be configured to help protect the device from attacks that target the management and control planes. CoPP is available in Cisco IOS release trains 12.0S, 12.2SX, 12.2S, 12.3T, 12.4, and 12.4T. In the following CoPP example, the ACL entries that match the exploit packets with the permit action will be discarded by the policy-map drop function, while packets that match a "deny" action (not shown) are not affected by the policy-map drop function: ! Include deny statements up front for any protocols/ports/IP addresses that !-- should not be impacted by CoPP ! Include permit statements for the protocols/ports that will be governed by CoPP access-list 100 permit tcp any any eq 443 !-- Permit (Police or Drop)/Deny (Allow) all other Layer3 and Layer4 !-- traffic in accordance with existing security policies and !-- configurations for traffic that is authorized to be sent !-- to infrastructure devices. ! !-- Create a Class-Map for traffic to be policed by !-- the CoPP feature. ! class-map match-all drop-SSL-class match access-group 100 ! !-- Create a Policy-Map that will be applied to the !-- Control-Plane of the device. ! policy-map drop-SSL-policy class drop-SSL-class drop !-- Apply the Policy-Map to the Control-Plane of the !-- device. ! control-plane service-policy input drop-SSL-policy Please note that in the 12.0S, 12.2S, and 12.2SX Cisco IOS trains, the policy-map syntax is different, as demonstrated by the following: policy-map drop-SSL-policy class drop-SSL-class police 32000 1500 1500 conform-action drop exceed-action drop NOTE: In the above CoPP example, the ACL entries with the "permit" action that match the exploit packets result in the discarding of those packets by the policy-map drop function, while packets that match the "deny" action are not affected by the policy-map drop function. Additional information on the configuration and use of the CoPP feature is available at the following links: http://www.cisco.com/en/US/products/ps6642/ products_white_paper0900aecd804fa16a.shtml and http://www.cisco.com/en/US/ products/sw/iosswrel/ps1838/products_feature_guide09186a008052446b.html . Access Control List (ACL) An Access Control List (ACL) can be used to help mitigate attacks targeting these vulnerabilities. ACLs can specify that only packets from legitimate sources are permitted to reach a device, and all others are to be dropped. The following example shows how to allow legitimate SSL sessions from trusted sources and deny all other SSL sessions: access-list 101 permit tcp host host port 443 access-list 101 deny tcp any any port 443 Obtaining Fixed Software Cisco has made free software available to address this vulnerability for affected customers. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/public/sw-license-agreement.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact either "psirt@cisco.com" or "security-alert@cisco.com" for software upgrades. Customers with Service Contracts Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third-party Support Organizations Customers whose Cisco products are provided or maintained through prior or existing agreement with third-party support organizations such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts Customers who purchase direct from Cisco but who do not hold a Cisco service contract and customers who purchase through third-party vendors but are unsuccessful at obtaining fixed software through their point of sale should get their upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. +1 800 553 2447 (toll free from within North America) +1 408 526 7209 (toll call from anywhere in the world) e-mail: tac@cisco.com Have your product serial number available and give the URL of this notice as evidence of your entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including special localized telephone numbers and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this Advisory. These vulnerabilities were discovered by Cisco during internal testing. Status of This Notice: FINAL THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution This advisory is posted on Cisco's worldwide website at http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml. In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. cust-security-announce@cisco.com first-teams@first.org bugtraq@securityfocus.com vulnwatch@vulnwatch.org cisco@spot.colorado.edu cisco-nsp@puck.nether.net full-disclosure@lists.grok.org.uk comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History Revision 1.0 2007-May-22 Initial public release. [***** End Cisco Security Advisory Document ID: 91888 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Cisco for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) R-237: Trend Micro ServerProtect EarthAgent Vulnerability R-238: VIM Security Update R-239: Multiple Vulnerabilities in the IOS FTP Server R-240: Samba Security Update R-241: CA Anti-Virus for the Enterprise Securitiy Notice R-242: Security Vulnerability in Sun Remote Services (SRS) Net Connect Software R-243: Tomcat Security Update R-244: OPeNDAP Vulnerability CIACTech07-001: MOICE - Microsoft Office Isolated Conversion Environment R-245: Vulnerability in Crypto Library