Reported September 12, 2001, by Cisco Systems.
VERSIONS AFFECTED
-
Cisco Systems Internet Content Distribution Network (iCDN) 2.0
DESCRIPTION
A
vulnerability exists in Cisco’s Internet Content Distribution Network (iCDN)
that can result in authorized access over Secured Sockets Layer (SSL) through
cached credentials. If an error occurs during the client/server handshake over
the SSL connection, the server might store the session's ID in the cache rather
than discarding it. If the same client attempts a second connection, the server
cache already contains the session ID and performs the shorter version of the
SSL handshake. As a result, the server skips the client authentication phase,
and the connection continues as if the client had successfully authenticated.
VENDOR RESPONSE
Cisco has issued a notice regarding this vulnerability and recommends that users of version 2.0 upgrade to version 2.0.1 through normal support channels. Versions of ICDN prior to 2.0 are not affected because these prior releases don't use the vulnerable RSA BSAFE SSL-J library.
CREDIT
Discovered by Cisco Systems.