From: SecuriTeam <support@securiteam.com.>
To: [email protected]
Date: 20 Oct 2005 12:00:29 +0200
Subject: [NEWS] Cisco 11500 Content Services Switch SSL DoS
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20051020103716.56AC357D4@mail.tyumen.ru.>
X-Virus-Scanned: antivirus-gw at tyumen.ru
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Cisco 11500 Content Services Switch SSL DoS
------------------------------------------------------------------------
SUMMARY
"The <http://www.cisco.com/en/US/products/hw/contnetw/ps792/index.html>;
Cisco CSS 11500 Series Content Services Switch is a high-performance,
high-availability modular architecture for Web infrastructures. "
Cisco CSS 11500 Series Content Services Switches (CSS) configured with
Secure Socket Layer (SSL) termination services are vulnerable to a Denial
of Service (DoS) attack when processing malformed client certificates.
DETAILS
Vulnerable Systems:
* Cisco WebNS operating system version 7.1
* Cisco WebNS operating system version 7.2
* Cisco WebNS operating system version 7.3
* Cisco WebNS operating system version 7.4
* Cisco WebNS operating system version 7.5
Immune Systems:
* Cisco WebNS operating system version 7.30.4.02
* Cisco WebNS operating system version 7.40.2.02
* Cisco WebNS operating system version 7.50.1.03
The Cisco CSS 11500 performs an analysis of protocol headers and directs
requests to an appropriate resource based on configurable policies. With
integrated SSL modules.
The CSS may reload due to a memory corruption issue when presented with a
malformed digital client certificate during the negotiation of a SSL
session. This condition is present even if the CSS did not request a
client certificate during SSL session negotiations.
This vulnerability is only present if a CSS is configured to support SSL
termination services. SSL termination services are not configured by
default.
Users can determine if SSL termination services are configured on a CSS by
performing the following steps.
* View the current running configuration:
# show running-config
* In the Services section of the configuration, users can find enabled
SSL termination services. An example of an enabled SSL termination service
called ssl-serv1 will look similar to the following. The type command with
the option ssl-accel or ssl-accel-backend indicates that the service is
associated with a SSL module, and the active command signifies that a SSL
termination service is enabled.
service ssl-serv1
type ssl-accel
slot 3
keepalive type none
add ssl-proxy-list ssl list1
active
Successful exploitation of the vulnerability may result in the immediate
reload of the device. Repeated exploitation could result in a sustained
DoS attack.
Workarounds:
The effectiveness of any workaround is dependent on specific users
situations such as product mix, network topology, traffic behavior, and
organizational mission. Due to the variety of affected products and
releases, customers should consult with their service provider or support
organization to ensure any applied workaround is the most
appropriate for use in the intended network before it is deployed.
If upgrading to a fixed version of Cisco WebNS software is not possible,
the following workarounds are available.
* Disable SSL termination for network services if not needed.
In service configuration mode, a user can disable a SSL service using the
following commands. ssl-serv1 is the name of a user defined SSL service.
(config)# no service ssl-serv1
Delete service <ssl>, [y/n]:y
<http://www.cisco.com/en/US/products/hw/contnetw/ps792/products_configuration_guide_book09186a008027ab4e.html>; Documentation for configuring SSL services on a CSS running Cisco WebNS 7.40.
<http://www.cisco.com/en/US/products/hw/contnetw/ps792/products_configuration_guide_book09186a0080405453.html>; Documentation for configuring SSL services on a CSS running Cisco WebNS 7.50.
* Use Access Control Lists (ACL) on a CSS or network device in front of a
CSS to restrict access to SSL terminated services to trusted networks.
<http://www.cisco.com/en/US/products/hw/contnetw/ps792/products_configuration_guide_chapter09186a008029b1db.html#wp1133930> Documentation for configuring an ACL on a CSS running Cisco WebNS 7.40.
<http://www.cisco.com/en/US/products/hw/contnetw/ps792/products_configuration_guide_chapter09186a008040aeb9.html#wp1133930> Documentation for configuring an ACL on a CSS running Cisco WebNS 7.50
Vendor Status:
When considering software upgrades, consult
<http://www.cisco.com/en/US/products/products_security_advisories_listing.html>; http://www.cisco.com/en/US/products/products_security_advisories_listing.html and any subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the devices
to be upgraded contain sufficient memory and that current hardware and
software configurations will continue to be supported properly by the new
release. If the information is not clear, contact the Cisco Technical
Assistance Center ("TAC") for assistance.
* Cisco WebNS operating system version 7.3 should be upgraded into
version 7.30.4.02 or newer
* Cisco WebNS operating system version 7.4 should be upgraded into
version 7.40.2.02 or newer
* Cisco WebNS operating system version 7.5 should be upgraded into
version 7.50.1.03 or newer
Users that running Cisco WebNS 7.10 and 7.20 are encouraged to upgrade CSS
platforms to a fixed version of Cisco WebNS 7.30 or greater. Fixed
software may be obtained by registered users at
<http://www.cisco.com/pcgi-bin/tablebuild.pl/css11500-maint>;
http://www.cisco.com/pcgi-bin/tablebuild.pl/css11500-maint
ADDITIONAL INFORMATION
The information has been provided by <mailto:psirt@cisco.com.> Cisco
Security Team.
The original article can be found at:
<http://www.cisco.com/warp/public/707/cisco-sa-20051019-css.shtml>;
http://www.cisco.com/warp/public/707/cisco-sa-20051019-css.shtml
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
