SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Device (Encryption/VPN)  >   Cisco Secure Content Accelerator Vendors:   Cisco
(Cisco Fixes Cisco Secure Content Accelerator) Re: OpenSSL Has Multiple Buffer Overflows That Allow Remote Users to Execute Arbitrary Code with Root Privileges
SecurityTracker Alert ID:  1005357
SecurityTracker URL:  http://securitytracker.com/id/1005357
CVE Reference:   CVE-2002-0655, CVE-2002-0656, CVE-2002-0657, CVE-2002-0659   (Links to External Site)
Date:  Oct 4 2002
Impact:   Denial of service via network, Execution of arbitrary code via network, Root access via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): SCA 11000 series; prior to 3.2.0.20
Description:   Four buffer overflow conditions were reported in OpenSSL. The Cisco Secure Content Accelerator is reportedly affected and may crash and reboot when an exploit is attempted.

The vendor has reported that A.L. Digital Ltd and The Bunker have uncovered multiple buffer overflows in OpenSSL, discovered during a security review.

A remote user could create a specially crafted, oversized client master key and use SSL2 to trigger an overflow on an SSL server. According to the report, this vulnerability was independently discovered by Neohapsis, which has confirmed that the overflow can be exploited to execute arbitrary code.

A remote user with an SSL server could create a specially crafted, oversized session ID and supply this ID to a target client using SSL3 to trigger an overflow.

A remote user could supply a specially crafted, oversized master key to an SSL3 server to trigger an overflow. It is reported that this flaw affects OpenSSL 0.9.7 prior to version 0.9.7-beta3 when Kerberos is enabled.

Several buffers used for ASCII representations of integers are reportedly too small on 64 bit platforms.

The report also states that other potential buffer overflows that are currently considered to be non-exploitable have been discovered.

The vendor notes that Adi Stav and James Yonan independently reported that the ASN1 parser can be confused by certain invalid encodings, potentially allowing a remote user to cause denial of service conditions. An OpenSSL-based application that use the ASN1 library to parse untrusted data (including all SSL or TLS applications using S/MIME [PKCS#7] or certificate generation routines) are affected.

Impact:   A remote user may be able cause the Cisco Secure Content Accelerator to crash.

For the flaws in OpenSSL, a remote user acting as an SSL server could cause arbitrary code to be executed on an SSL client that is connecting to the server. It is not clear if the Cisco Secure Content Accelerator allows code execution or not.

Solution:   Cisco has issued a fixed version (3.2.0.20) of the Cisco Secure Content Accelerator, available at:

http://www.cisco.com/cgi-bin/tablebuild.pl/cs-conacc

The Release-notes are available at:

http://www.cisco.com/univercd/cc/td/doc/product/webscale/css/css_sca/sca_320/v320b20.htm#xtocid13

Vendor URL:  www.cisco.com/univercd/cc/td/doc/product/webscale/css/css_sca/sca_320/v320b20.htm#xtocid13 (Links to External Site)
Cause:   Boundary error, Exception handling error

Message History:   This archive entry is a follow-up to the message listed below.
Jul 30 2002 OpenSSL Has Multiple Buffer Overflows That Allow Remote Users to Execute Arbitrary Code with Root Privileges



 Source Message Contents

Subject:  Re: Cisco Secure Content Accelerator vulnerable to SSL worm


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



We can confirm the finding made by Matt Zimmerman <mdz@debian.org> for all 
older releases of the Cisco Secure Content Accelerator software.

Cisco has released version 3.2.0.20 of Cisco Secure Content Accelerator 
software on September 27, 2002 which resolves the OpenSSL issue.

The new version of software is available to customers via our website at 

	http://www.cisco.com/cgi-bin/tablebuild.pl/cs-conacc

This problem has been documented in the Release-notes for version 3.2.0.20
online at:

	http://www.cisco.com/univercd/cc/td/doc/product/webscale/css/css_sca/sca_320/v320b20.htm#xtocid13


- -Mike-



> Product         : Cisco SCA 11000 Series Secure Content Accelerator
> Product URL     : http://www.cisco.com/warp/customer/cc/pd/cxsr/ps2083/
> CVE             : CAN-2002-0656
> Software release: All current releases
> Vendor status   : PSIRT and TAC notified 2002/09/17, last update 2002/09/24
> Patch status    : No patch available

> Attempts to exploit the vulnerability described in CAN-2002-0656 cause the
> SCA 11000 (all tested software releases) to spontaneously reboot, resulting
> in at least a denial of service.  This product incorporates code from an
> older OpenSSL release, and thus shares the same vulnerability.  There is no
> known means to work around this issue, short of disabling SSL services on
> the system.

> Cisco's Secure Content Accelerator is closely related to SonicWall's SSL
> offloader product.  The SonicWall product was also vulnerable, and a
> statement and fix were issued promptly:

> http://www.sonicwall.com/support/security_advisories/security_advisory-openSSL.html

> No official fix is as yet available from Cisco for this issue, and no
> advisory has been released.  Impact is likely equivalent to impact on the
> SonicWall product.

> Cisco PSIRT publishes advisories here:

> http://www.cisco.com/warp/public/707/advisory.html

> -- 
>  - mdz

- -- 
- ----------------------------------------------------------------------------
|      ||        ||       | Mike Caudill              | mcaudill@cisco.com |
|      ||        ||       | PSIRT Incident Manager    | 919.392.2855       |
|     ||||      ||||      | DSS PGP: 0xEBBD5271       | 919.522.4931 (cell)|
| ..:||||||:..:||||||:..  | RSA PGP: 0xF482F607       ---------------------|
| C i s c o S y s t e m s | http://www.cisco.com/go/psirt                  |
- ----------------------------------------------------------------------------

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.2

iQA/AwUBPZ3+GYpjyUnrvVJxEQIlbQCeP9Ce2M7rpVgGncXa67XLyUcFzNoAoN5p
8V8uMFPZKxJ10sHmkzOceYc9
=qOdy
-----END PGP SIGNATURE-----

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC