|
|
|
|
| |
| Non-Secure Shell (SSH) connection attempts to an enabled SSH service on a Cisco Catalyst 6000, 5000, or 4000 switch, might cause a "protocol mismatch" error, resulting in a supervisor engine failure. The supervisor engine failure causes the switch to fail to pass traffic and reboots the switch. This problem is resolved in release 6.1(1c). |
| |
Credit:
This vulnerability has been assigned Cisco bug ID CSCds85763.
The full text of this advisory can be viewed at:
http://www.cisco.com/warp/public/707/catalyst-ssh-protocolmismatch-pub.shtml
|
| |
Vulnerable systems:
Catalyst 6000, 5000, 4000 images with SSH support.
Version 6.1(1), 6.1(1a), 6.1(1b) with 3 Data Encryption Standard (DES) features only.
Only the following images are affected:
cat4000-k9.6-1-1.bin
cat5000-sup3cvk9.6-1-1a.bin
cat5000-sup3k9.6-1-1.bin
cat5000-supgk9.6-1-1.bin
cat6000-sup2cvk9.6-1-1b.bin
cat6000-sup2k9.6-1-1b.bin
cat6000-supcvk9.6-1-1b.bin
cat6000-supk9.6-1-1b.bin
Immune systems:
Cisco IOS 12.1 SSH implementation is not affected by this vulnerability. No other Cisco devices are affected.
Non-SSH protocol connection attempts to the SSH service cause a "protocol mismatch" error, which causes a switch to reload. SSH is not enabled by default, and must be configured by the administrator.
To verify if your image is affected, run the command "show version". If the image filename is listed above, and you have enabled SSH, you are affected by this vulnerability and should upgrade to a fixed version immediately.
Impact
This vulnerability enables a Denial of Service attack on the Catalyst switch.
Software Versions and Fixes
This defect is resolved in Cisco Catalyst version 6.1(1c). Previous affected versions will be deferred, and will no longer be available for customer download.
Getting Fixed Software
Cisco is offering free software upgrades to remedy this vulnerability for all affected customers.
Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained via the Software Center on Cisco's Worldwide Web site at http://www.cisco.com.
Workarounds
The workaround for this vulnerability is to disable SSH service. For most customers using this image, SSH support is necessary, so the recommended action is to upgrade to a fixed version.
|
|
|
|
|
|
|
|
|
|
