Reported October 1, 2003 by Cisco.

 

 

VERSIONS AFFECTED

 

  • Cisco IOS 12.1(11)E and later in the 12.1E release train with crypto images (56i and k2)

  • Cisco PIX Firewall

  • Cisco Firewall Services Module (FWSM) for the Cisco Catalyst 6500 Series and Cisco 7600 Series routers

  • Cisco Network Analysis Modules (NAM) for the Cisco Catalyst 6000 and 6500 Series switches and Cisco 7600 Series routers

  • Cisco Content Service Switch (CSS) 11000 series

  • Cisco Global Site Selector (GSS) 4480

  • Cisco Application & Content Networking Software (ACNS)

  • Cisco SN 5428 Storage Router

  • CiscoWorks 1105 Hosting Solution Engine (HSE)

  • CiscoWorks 1105 Wireless LAN Solution Engine (WLSE)

  • CiscoWorks Common Services (CMF)

  • Cisco SIP Proxy Server (SPS)

 

 

DESCRIPTION

 

OpenSSL is a component used in the above products manufactured by Cisco. Multiple vulnerabilities in OpenSSL that can result in a Denial of Service (DoS) condition or execution of arbitrary code on the vulnerable system. These vulnerabilities are as follows:
 
·         Certain ASN.1 encodings that the parser rejects as invalid can trigger a bug in the deallocation of the corresponding data structure, thereby corrupting the stack. The vulnerability can permit a DoS attack. the potential for exploiting this vulnerability to run malicious code is unknown. This problem doesn't affect OpenSSL 0.9.6.
 
·         Unusual ASN.1 tag values can cause an out-of-bounds read under certain circumstances, resulting in a DoS vulnerability.
 
·         A malformed public key in a certificate can crash the verify code if it's set to ignore public-key decode errors. Public-key decode errors aren't typically ignored, except for debugging purposes, so this vulnerability is unlikely to affect production code. Exploitation of an affected application can result in a DoS vulnerability.
 
 

VENDOR RESPONSE

 

Cisco has released a security bulletin concerning these vulnerabilities and recommends that affected customers obtain a patch, when it becomes available, through normal support channels.

 

CREDIT          
Discovered by UK National Infrastructure Security Co-Ordination Centre.