Multiple Cisco products among those clobbered by OpenSSL flaw |
 |
By Edmund X. DeJesus, Contributing Writer
18 Mar 2004 | SearchSecurity.com |
|
|
Cisco switches, routers and firewalls are vulnerable to attack due to a problem in OpenSSL that has other software vendors scrambling to cope. Failure to deal with the problem can leave systems open to remote denial of service (DoS).
Multiple products with HTTPS servers running OpenSSL are vulnerable to a remote DoS attack. OpenSSL is an open source toolkit implementing the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols for security and cryptographic applications.
By using a specially formed SSL/TLS handshake, a vulnerability in the do_change_cipher_spec function in OpenSSL (versions 0.9.6c through 0.9.6k, and 0.9.7a through 0.9.7c) can allow a remote attacker to force a null-pointer assignment that crashes or resets the hardware, causing a DoS.
The problem affects Cisco IOS, Cisco PIX, Cisco Firewall Services Module for the Cisco Catalyst, Cisco MDS Multilayer Switch, Cisco Content Service Switch, Cisco Global Site Selector, CiscoWorks Common Services, CiscoWorks Common Management Foundation and Cisco Access Registrar (see Cisco site for version details).
Devices that use Secure Shell (SSH) instead of OpenSSL for secure access aren't affected by this vulnerability.
Limited workarounds are possible, including restricting access to the HTTPS server and disabling the SSL server or service. Cisco has provided fixes for these problems.
Cisco isn't alone in dealing with the OpenSSL problem. Vendors including Debian, EnGarde, FreeBSD, Gentoo, Kerberos, Mandrake, Red Hat, Slackware and SuSE are all struggling to deal with the consequences of the OpenSSL problem.
|
|
|
|
