Cisco CSS 11500 Series Content Services Switches (CSS) configured with Secure Socket Layer (SSL) termination services are vulnerable to a Denial of Service (DoS) attack when processing malformed client certificates.
Vulnerable Systems:
* Cisco WebNS operating system version 7.1
* Cisco WebNS operating system version 7.2
* Cisco WebNS operating system version 7.3
* Cisco WebNS operating system version 7.4
* Cisco WebNS operating system version 7.5
Immune Systems:
* Cisco WebNS operating system version 7.30.4.02
* Cisco WebNS operating system version 7.40.2.02
* Cisco WebNS operating system version 7.50.1.03
The Cisco CSS 11500 performs an analysis of protocol headers and directs requests to an appropriate resource based on configurable policies. With integrated SSL modules.
The CSS may reload due to a memory corruption issue when presented with a malformed digital client certificate during the negotiation of a SSL session. This condition is present even if the CSS did not request a client certificate during SSL session negotiations.
This vulnerability is only present if a CSS is configured to support SSL termination services. SSL termination services are not configured by default.
Users can determine if SSL termination services are configured on a CSS by performing the following steps.
* View the current running configuration:
# show running-config
* In the Services section of the configuration, users can find enabled SSL termination services. An example of an enabled SSL termination service called ssl-serv1 will look similar to the following. The type command with the option ssl-accel or ssl-accel-backend indicates that the service is associated with a SSL module, and the active command signifies that a SSL termination service is enabled.
service ssl-serv1
type ssl-accel
slot 3
keepalive type none
add ssl-proxy-list ssl list1
active
Successful exploitation of the vulnerability may result in the immediate reload of the device. Repeated exploitation could result in a sustained DoS attack.
Workarounds:
The effectiveness of any workaround is dependent on specific users situations such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround is the most
appropriate for use in the intended network before it is deployed.
If upgrading to a fixed version of Cisco WebNS software is not possible, the following workarounds are available.
* Disable SSL termination for network services if not needed.
In service configuration mode, a user can disable a SSL service using the following commands. ssl-serv1 is the name of a user defined SSL service.
(config)# no service ssl-serv1
Delete service <ssl>, [y/n]:y
In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center ("TAC") for assistance.
* Cisco WebNS operating system version 7.3 should be upgraded into version 7.30.4.02 or newer
* Cisco WebNS operating system version 7.4 should be upgraded into version 7.40.2.02 or newer
* Cisco WebNS operating system version 7.5 should be upgraded into version 7.50.1.03 or newer
Users that running Cisco WebNS 7.10 and 7.20 are encouraged to upgrade CSS platforms to a fixed version of Cisco WebNS 7.30 or greater. Fixed software may be obtained by registered users at http://www.cisco.com/pcgi-bin/tablebuild.pl/css11500-maint
