Reported
October 1, 2003 by Cisco.
VERSIONS AFFECTED
Cisco IOS 12.1(11)E and
later in the 12.1E release train with crypto images (56i and k2)
Cisco PIX Firewall
Cisco Firewall Services
Module (FWSM) for the Cisco Catalyst 6500 Series and Cisco 7600 Series routers
Cisco Network Analysis
Modules (NAM) for the Cisco Catalyst 6000 and 6500 Series switches and Cisco
7600 Series routers
Cisco Content Service
Switch (CSS) 11000 series
Cisco Global Site
Selector (GSS) 4480
Cisco Application &
Content Networking Software (ACNS)
Cisco SN 5428 Storage
Router
CiscoWorks 1105 Hosting
Solution Engine (HSE)
CiscoWorks 1105 Wireless
LAN Solution Engine (WLSE)
CiscoWorks Common
Services (CMF)
Cisco SIP Proxy Server (SPS)
DESCRIPTION
VENDOR
RESPONSE
CREDIT
OpenSSL is a component used in the above products manufactured by Cisco. Multiple vulnerabilities in OpenSSL that can result in a Denial of Service (DoS) condition or execution of arbitrary code on the vulnerable system. These vulnerabilities are as follows:
· Certain ASN.1 encodings that the parser rejects as invalid can trigger a bug in the deallocation of the corresponding data structure, thereby corrupting the stack. The vulnerability can permit a DoS attack. the potential for exploiting this vulnerability to run malicious code is unknown. This problem doesn't affect OpenSSL 0.9.6.
· Unusual ASN.1 tag values can cause an out-of-bounds read under certain circumstances, resulting in a DoS vulnerability.
· A malformed public key in a certificate can crash the verify code if it's set to ignore public-key decode errors. Public-key decode errors aren't typically ignored, except for debugging purposes, so this vulnerability is unlikely to affect production code. Exploitation of an affected application can result in a DoS vulnerability.
Cisco has released a security bulletin concerning these vulnerabilities and recommends that affected customers obtain a patch, when it becomes available, through normal support channels.
Discovered by
UK National Infrastructure Security Co-Ordination Centre.
Multiple Vulnerabilities in OpenSSL Component of Cisco Devices
0 comments
Hide comments