Reported October 1, 2003 by Cisco.

 

 

VERSIONS AFFECTED

 

  • Cisco IOS 12.1(11)E and later in the 12.1E release train with crypto images (56i and k2)

  • Cisco PIX Firewall

  • Cisco Firewall Services Module (FWSM) for the Cisco Catalyst 6500 Series and Cisco 7600 Series routers

  • Cisco Network Analysis Modules (NAM) for the Cisco Catalyst 6000 and 6500 Series switches and Cisco 7600 Series routers

  • Cisco Content Service Switch (CSS) 11000 series

  • Cisco Global Site Selector (GSS) 4480

  • Cisco Application & Content Networking Software (ACNS)

  • Cisco SN 5428 Storage Router

  • CiscoWorks 1105 Hosting Solution Engine (HSE)

  • CiscoWorks 1105 Wireless LAN Solution Engine (WLSE)

  • CiscoWorks Common Services (CMF)

  • Cisco SIP Proxy Server (SPS)

 

 

DESCRIPTION

 

<span style="font-family:Verdana">OpenSSL is a component used in the above products manufactured by Cisco. Multiple vulnerabilities in OpenSSL that can result in a Denial of Service (DoS) condition or execution of arbitrary code on the vulnerable system. These vulnerabilities are as follows:</h3> <span style="font-family:Verdana"> </h3> <span style="font-family: Symbol">·<span style='font:7.0pt "Times New Roman"'>         </h3></h3><span style="font-family:Verdana">Certain ASN.1 encodings that the parser rejects as invalid can trigger a bug in the deallocation of the corresponding data structure, thereby corrupting the stack. The vulnerability can permit a DoS attack. the potential for exploiting this vulnerability to run malicious code is unknown. This problem doesn't affect OpenSSL 0.9.6.</h3> <span style="font-family:Verdana"> </h3> <span style="font-family: Symbol">·<span style='font:7.0pt "Times New Roman"'>         </h3></h3><span style="font-family:Verdana">Unusual ASN.1 tag values can cause an out-of-bounds read under certain circumstances, resulting in a DoS vulnerability.</h3> <span style="font-family:Verdana"> </h3> <span style="font-family: Symbol">·<span style='font:7.0pt "Times New Roman"'>         </h3></h3><span style="font-family:Verdana">A malformed public key in a certificate can crash the verify code if it's set to ignore public-key decode errors. Public-key decode errors aren't typically ignored, except for debugging purposes, so this vulnerability is unlikely to affect production code. Exploitation of an affected application can result in a DoS vulnerability.</h3> <span style="font-family:Verdana"> </h3> <span style="font-family:Verdana"> </h3>

VENDOR RESPONSE

 

<span style="font-family:Verdana"><a href="http://www.cisco.com/" style="color: blue; text-decoration: underline; text-underline: single">Cisco</a> has released a <a href="http://www.cisco.com/warp/public/707/cisco-sa-20030930-ssl.shtml" style="color: blue; text-decoration: underline; text-underline: single">security bulletin</a> concerning these vulnerabilities and recommends that affected customers obtain a patch, when it becomes available, through normal support channels.</h3>

 

CREDIT          
Discovered by UK National Infrastructure Security Co-Ordination Centre.