SSL vulnerability could bring down Cisco LAN/WAN gear

Cisco Systems Inc. warned that an implementation of Secure Sockets Layer on some of its switches, routers and firewalls could leave these devices vulnerable to a denial-of-service attack.

A warning posted on Cisco’s Web site Wednesday says that some hardware and software products with HTTPS servers running OpenSSL (used for management and configuration) could be brought down by an attack designed to crash the HTTPS server on the affected device. Cisco posted a software fix for the problem.

Affected products include Cisco IOS 12.1(11)E, and 12.2SY “crypto” release versions and sub-releases. Products running this IOS image could include Cisco Catalyst 6500 switches and the firewall module for the Catalyst 6500, Cisco 7100 and 7200 series routers, PIX firewalls, Content Service Switches and the MDS 9000 series storage switches and Global Site Selector 4480. Software affected by the vulnerability includes the CiscoWorks Common Services 2.2, and Management Foundation 2.1 platforms and Cisco Access Registrar, a RADIUS remote access server.

Cisco said that an attacker could exploit the OpenSSL weakness on these products by “carefully crafting” a special SSL/TSL handshake against the HTTPS server that would cause it crash. This HTTPS crash would then cause the device to reset. Performing this attack repeatedly could make the device unavailable until the problem is fixed, or the attack stops. Cisco devices using Secure Shell (SSH) for secure access are not affected by the vulnerability, the vendor said.

PIX firewall Vversion 6.0 is affected, but not Version 5.0, which doesn’t support OpenSSL, Cisco said. Not all Cisco products using OpenSSL code are vulnerable to the attack either, the company added. A complete list of OpenSSL-enabled products that are affected, and not affected, is on Cisco’s Web site.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now