Article

Multiple Cisco products among those clobbered by OpenSSL flaw

Edmund X. DeJesus, Contributing Writer

Cisco switches, routers and firewalls are vulnerable to attack due to a problem in OpenSSL that has other software vendors scrambling to cope. Failure to deal with the problem can leave systems open to remote denial of service (DoS).

Multiple products with HTTPS servers running OpenSSL are vulnerable to a remote DoS attack. OpenSSL is an open source toolkit implementing the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols for security and cryptographic applications.

    Requires Free Membership to View

For more information

Click here for the Cisco advisory or here for the fix.

For information about other products affected by the flaw, see below:

Debian
EnGarde
FreeBSD
Gentoo

Kerberos
Mandrake
Red Hat
Slackware
SuSE

By using a specially formed SSL/TLS handshake, a vulnerability in the do_change_cipher_spec function in OpenSSL (versions 0.9.6c through 0.9.6k, and 0.9.7a through 0.9.7c) can allow a remote attacker to force a null-pointer assignment that crashes or resets the hardware, causing a DoS.

The problem affects Cisco IOS, Cisco PIX, Cisco Firewall Services Module for the Cisco Catalyst, Cisco MDS Multilayer Switch, Cisco Content Service Switch, Cisco Global Site Selector, CiscoWorks Common Services, CiscoWorks Common Management Foundation and Cisco Access Registrar (see Cisco site for version details).

Devices that use Secure Shell (SSH) instead of OpenSSL for secure access aren't affected by this vulnerability.

Limited workarounds are possible, including restricting access to the HTTPS server and disabling the SSL server or service. Cisco has provided fixes for these problems.

Cisco isn't alone in dealing with the OpenSSL problem. Vendors including Debian, EnGarde, FreeBSD, Gentoo, Kerberos, Mandrake, Red Hat, Slackware and SuSE are all struggling to deal with the consequences of the OpenSSL problem.


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: