Reported September 12, 2001, by Cisco Systems.

VERSIONS AFFECTED

  • Cisco Systems Internet Content Distribution Network (iCDN) 2.0

DESCRIPTION
A vulnerability exists in Cisco’s Internet Content Distribution Network (iCDN) that can result in authorized access over Secured Sockets Layer (SSL) through cached credentials. If an error occurs during the client/server handshake over the SSL connection, the server might store the session's ID in the cache rather than discarding it. If the same client attempts a second connection, the server cache already contains the session ID and performs the shorter version of the SSL handshake. As a result, the server skips the client authentication phase, and the connection continues as if the client had successfully authenticated.

 

VENDOR RESPONSE

Cisco has issued a notice regarding this vulnerability and recommends that users of version 2.0 upgrade to version 2.0.1 through normal support channels. Versions of ICDN prior to 2.0 are not affected because these prior releases don't use the vulnerable RSA BSAFE SSL-J library.

 

CREDIT
Discovered by Cisco Systems.