(Cisco Fixes Cisco Secure Content Accelerator) Re: OpenSSL Has Multiple Buffer Overflows That Allow Remote Users to Execute Arbitrary Code with Root Privileges
SecurityTracker Alert ID: 1005357|
SecurityTracker URL: http://securitytracker.com/id/1005357
CAN-2002-0655, CAN-2002-0656, CAN-2002-0657, CAN-2002-0659
(Links to External Site)
Date: Oct 4 2002
Denial of service via network, Execution of arbitrary code via network, Root access via network, User access via network|
Fix Available: Yes Vendor Confirmed: Yes |
Version(s): SCA 11000 series; prior to 126.96.36.199|
Four buffer overflow conditions were reported in OpenSSL. The Cisco Secure Content Accelerator is reportedly affected and may crash and reboot when an exploit is attempted.|
The vendor has reported that A.L. Digital Ltd and The Bunker have uncovered multiple buffer overflows in OpenSSL, discovered during a security review.
A remote user could create a specially crafted, oversized client master key and use SSL2 to trigger an overflow on an SSL server. According to the report, this vulnerability was independently discovered by Neohapsis, which has confirmed that the overflow can be exploited to execute arbitrary code.
A remote user with an SSL server could create a specially crafted, oversized session ID and supply this ID to a target client using SSL3 to trigger an overflow.
A remote user could supply a specially crafted, oversized master key to an SSL3 server to trigger an overflow. It is reported that this flaw affects OpenSSL 0.9.7 prior to version 0.9.7-beta3 when Kerberos is enabled.
Several buffers used for ASCII representations of integers are reportedly too small on 64 bit platforms.
The report also states that other potential buffer overflows that are currently considered to be non-exploitable have been discovered.
The vendor notes that Adi Stav and James Yonan independently reported that the ASN1 parser can be confused by certain invalid encodings, potentially allowing a remote user to cause denial of service conditions. An OpenSSL-based application that use the ASN1 library to parse untrusted data (including all SSL or TLS applications using S/MIME [PKCS#7] or certificate generation routines) are affected.
A remote user may be able cause the Cisco Secure Content Accelerator to crash.|
For the flaws in OpenSSL, a remote user acting as an SSL server could cause arbitrary code to be executed on an SSL client that is connecting to the server. It is not clear if the Cisco Secure Content Accelerator allows code execution or not.
Cisco has issued a fixed version (188.8.131.52) of the Cisco Secure Content Accelerator, available at:|
The Release-notes are available at:
Vendor URL: www.cisco.com/univercd/cc/td/doc/product/webscale/css/css_sca/sca_320/v320b20.htm#xtocid13 (Links to External Site)
Boundary error, Exception handling error|
This archive entry is a follow-up to the message listed below.|
Source Message Contents
Date: Fri, 4 Oct 2002 16:46:41 -0400 (EDT)|
Subject: Re: Cisco Secure Content Accelerator vulnerable to SSL worm
-----BEGIN PGP SIGNED MESSAGE-----
We can confirm the finding made by Matt Zimmerman <email@example.com> for all
older releases of the Cisco Secure Content Accelerator software.
Cisco has released version 184.108.40.206 of Cisco Secure Content Accelerator
software on September 27, 2002 which resolves the OpenSSL issue.
The new version of software is available to customers via our website at
This problem has been documented in the Release-notes for version 220.127.116.11
> Product : Cisco SCA 11000 Series Secure Content Accelerator
> Product URL : http://www.cisco.com/warp/customer/cc/pd/cxsr/ps2083/
> CVE : CAN-2002-0656
> Software release: All current releases
> Vendor status : PSIRT and TAC notified 2002/09/17, last update 2002/09/24
> Patch status : No patch available
> Attempts to exploit the vulnerability described in CAN-2002-0656 cause the
> SCA 11000 (all tested software releases) to spontaneously reboot, resulting
> in at least a denial of service. This product incorporates code from an
> older OpenSSL release, and thus shares the same vulnerability. There is no
> known means to work around this issue, short of disabling SSL services on
> the system.
> Cisco's Secure Content Accelerator is closely related to SonicWall's SSL
> offloader product. The SonicWall product was also vulnerable, and a
> statement and fix were issued promptly:
> No official fix is as yet available from Cisco for this issue, and no
> advisory has been released. Impact is likely equivalent to impact on the
> SonicWall product.
> Cisco PSIRT publishes advisories here:
> - mdz
| || || | Mike Caudill | firstname.lastname@example.org |
| || || | PSIRT Incident Manager | 919.392.2855 |
| |||| |||| | DSS PGP: 0xEBBD5271 | 919.522.4931 (cell)|
| ..:||||||:..:||||||:.. | RSA PGP: 0xF482F607 ---------------------|
| C i s c o S y s t e m s | http://www.cisco.com/go/psirt |
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.2
-----END PGP SIGNATURE-----