Wednesday, September 22, 2021

SSL vulnerability could bring down Cisco LAN/WAN gear

Cisco Systems Inc. warned that an implementation of Secure Sockets Layer on some of its switches, routers and firewalls could leave these devices vulnerable to a denial-of-service attack.

A warning posted on Cisco’s Web site Wednesday says that some hardware and software products with HTTPS servers running OpenSSL (used for management and configuration) could be brought down by an attack designed to crash the HTTPS server on the affected device. Cisco posted a software fix for the problem.

Affected products include Cisco IOS 12.1(11)E, and 12.2SY “crypto” release versions and sub-releases. Products running this IOS image could include Cisco Catalyst 6500 switches and the firewall module for the Catalyst 6500, Cisco 7100 and 7200 series routers, PIX firewalls, Content Service Switches and the MDS 9000 series storage switches and Global Site Selector 4480. Software affected by the vulnerability includes the CiscoWorks Common Services 2.2, and Management Foundation 2.1 platforms and Cisco Access Registrar, a RADIUS remote access server.

Cisco said that an attacker could exploit the OpenSSL weakness on these products by “carefully crafting” a special SSL/TSL handshake against the HTTPS server that would cause it crash. This HTTPS crash would then cause the device to reset. Performing this attack repeatedly could make the device unavailable until the problem is fixed, or the attack stops. Cisco devices using Secure Shell (SSH) for secure access are not affected by the vulnerability, the vendor said.

PIX firewall Vversion 6.0 is affected, but not Version 5.0, which doesn’t support OpenSSL, Cisco said. Not all Cisco products using OpenSSL code are vulnerable to the attack either, the company added. A complete list of OpenSSL-enabled products that are affected, and not affected, is on Cisco’s Web site.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication. Click this link to send me a note →

Jim Love, Chief Content Officer, IT World Canada

Related Tech News