Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NEWS] Cisco 11500 Content Services Switch SSL DoS

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NEWS] Cisco 11500 Content Services Switch SSL DoS
Date: 20 Oct 2005 12:00:29 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Cisco 11500 Content Services Switch SSL DoS
------------------------------------------------------------------------


SUMMARY

"The  <http://www.cisco.com/en/US/products/hw/contnetw/ps792/index.html> 
Cisco CSS 11500 Series Content Services Switch is a high-performance, 
high-availability modular architecture for Web infrastructures. "

Cisco CSS 11500 Series Content Services Switches (CSS) configured with 
Secure Socket Layer (SSL) termination services are vulnerable to a Denial 
of Service (DoS) attack when processing malformed client certificates.

DETAILS

Vulnerable Systems:
 * Cisco WebNS operating system version 7.1
 * Cisco WebNS operating system version 7.2
 * Cisco WebNS operating system version 7.3
 * Cisco WebNS operating system version 7.4
 * Cisco WebNS operating system version 7.5

Immune Systems:
 * Cisco WebNS operating system version 7.30.4.02
 * Cisco WebNS operating system version 7.40.2.02
 * Cisco WebNS operating system version 7.50.1.03

The Cisco CSS 11500 performs an analysis of protocol headers and directs 
requests to an appropriate resource based on configurable policies. With 
integrated SSL modules.
The CSS may reload due to a memory corruption issue when presented with a 
malformed digital client certificate during the negotiation of a SSL 
session. This condition is present even if the CSS did not request a 
client certificate during SSL session negotiations.
This vulnerability is only present if a CSS is configured to support SSL 
termination services. SSL termination services are not configured by 
default.

Users can determine if SSL termination services are configured on a CSS by 
performing the following steps.

 * View the current running configuration:
          # show running-config

 * In the Services section of the configuration, users can find enabled 
SSL termination services. An example of an enabled SSL termination service 
called ssl-serv1 will look similar to the following. The type command with 
the option ssl-accel or ssl-accel-backend indicates that the service is 
associated with a SSL module, and the active command signifies that a SSL 
termination service is enabled.

        service ssl-serv1
                type ssl-accel
                slot 3
                keepalive type none
                add ssl-proxy-list ssl list1
                active

Successful exploitation of the vulnerability may result in the immediate 
reload of the device. Repeated exploitation could result in a sustained 
DoS attack.

Workarounds:
The effectiveness of any workaround is dependent on specific users 
situations such as product mix, network topology, traffic behavior, and 
organizational mission. Due to the variety of affected products and 
releases, customers should consult with their service provider or support 
organization to ensure any applied workaround is the most
appropriate for use in the intended network before it is deployed.

If upgrading to a fixed version of Cisco WebNS software is not possible, 
the following workarounds are available.

 * Disable SSL termination for network services if not needed.
In service configuration mode, a user can disable a SSL service using the 
following commands. ssl-serv1 is the name of a user defined SSL service.

  (config)# no service ssl-serv1
  Delete service <ssl>, [y/n]:y

 
<http://www.cisco.com/en/US/products/hw/contnetw/ps792/products_configuration_guide_book09186a008027ab4e.html>
 Documentation for configuring SSL services on a CSS running Cisco WebNS 7.40.

 
<http://www.cisco.com/en/US/products/hw/contnetw/ps792/products_configuration_guide_book09186a0080405453.html>
 Documentation for configuring SSL services on a CSS running Cisco WebNS 7.50.

 * Use Access Control Lists (ACL) on a CSS or network device in front of a 
CSS to restrict access to SSL terminated services to trusted networks.
 
<http://www.cisco.com/en/US/products/hw/contnetw/ps792/products_configuration_guide_chapter09186a008029b1db.html#wp1133930>
 Documentation for configuring an ACL on a CSS running Cisco WebNS 7.40.

 
<http://www.cisco.com/en/US/products/hw/contnetw/ps792/products_configuration_guide_chapter09186a008040aeb9.html#wp1133930>
 Documentation for configuring an ACL on a CSS running Cisco WebNS 7.50

Vendor Status:
When considering software upgrades, consult  
<http://www.cisco.com/en/US/products/products_security_advisories_listing.html> 
http://www.cisco.com/en/US/products/products_security_advisories_listing.html 
and any subsequent advisories to determine exposure and a complete upgrade 
solution.

In all cases, customers should exercise caution to be certain the devices 
to be upgraded contain sufficient memory and that current hardware and 
software configurations will continue to be supported properly by the new 
release. If the information is not clear, contact the Cisco Technical 
Assistance Center ("TAC") for assistance.

 * Cisco WebNS operating system version 7.3 should be upgraded into 
version 7.30.4.02 or newer
 * Cisco WebNS operating system version 7.4 should be upgraded into 
version 7.40.2.02 or newer
 * Cisco WebNS operating system version 7.5 should be upgraded into 
version 7.50.1.03 or newer

Users that running Cisco WebNS 7.10 and 7.20 are encouraged to upgrade CSS 
platforms to a fixed version of Cisco WebNS 7.30 or greater. Fixed 
software may be obtained by registered users at  
<http://www.cisco.com/pcgi-bin/tablebuild.pl/css11500-maint> 
http://www.cisco.com/pcgi-bin/tablebuild.pl/css11500-maint


ADDITIONAL INFORMATION

The information has been provided by  <mailto:psirt@cisco.com> Cisco 
Security Team.
The original article can be found at:  
<http://www.cisco.com/warp/public/707/cisco-sa-20051019-css.shtml> 
http://www.cisco.com/warp/public/707/cisco-sa-20051019-css.shtml



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NEWS] Cisco 11500 Content Services Switch SSL DoS, SecuriTeam <=
Previous by Date:  [EXPL] IIS RSA WebAgent Redirect Buffer Overflow Exploit, SecuriTeam
Next by Date:  [TOOL] swArpMon - ARP Monitor, SecuriTeam
Previous by Thread:  [EXPL] IIS RSA WebAgent Redirect Buffer Overflow Exploit, SecuriTeam
Next by Thread:  [TOOL] swArpMon - ARP Monitor, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]