SecuriTeam - Cisco Secure Content Accelerator Vulnerable to SSL Worm

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

SecuriTeam
Beyond Security

SecuriTeam Home
Ask the Team
Mailing Lists
Advertising Info
Blogs

Black Box Testing
Vulnerability Assessment
Vulnerability Scanner

	SecuriTeam in Your Inbox

	E-mail this article to a friend

New vulnerability?
New tool?
Tell us

As we reported in our previous article: "Slapper" OpenSSL/Apache Worm Propagation, a worm has been infecting and spreading from these infected machines to other machines, by means of exploiting a well known vulnerability in OpenSSL, it has been now made clear that Cisco's Secure Content Accelerator (un-patched version) is also vulnerable to attack, and is being actively compromised.

Credit:
The information has been provided by Matt Zimmerman and Mike Caudill.

Protect your website!
Use an External Vulnerability Scanner!
Nothing to install. First report in 1 hour!
www.beyondsecurity.com/vulnerability-scanner

Vulnerable systems:
* Cisco SCA 11000 Series Secure Content Accelerator

Attempts to exploit the vulnerability described in CAN-2002-0656 cause the SCA 11000 (all tested software releases) to spontaneously reboot, resulting in at least a denial of service. This product incorporates code from an older OpenSSL release, and thus shares the same vulnerability. There is no known means to work around this issue, short of disabling SSL services on the system.

Cisco's Secure Content Accelerator is closely related to SonicWALL's SSL offloader product. The SonicWALL product was also vulnerable, and a statement and fix were issued promptly:
http://www.sonicwall.com/support/security_advisories/security_advisory-openSSL.html

No official fix is as yet available from Cisco for this issue, and no advisory has been released. Impact is likely equivalent to impact on the SonicWALL product.

Cisco PSIRT publishes advisories here:
http://www.cisco.com/warp/public/707/advisory.html

Vendor response:
We can confirm the finding made by Matt Zimmerman for all older releases of the Cisco Secure Content Accelerator software.

Cisco has released version 3.2.0.20 of Cisco Secure Content Accelerator software on September 27, 2002 which resolves the OpenSSL issue.

The new version of software is available to customers via our website at:
http://www.cisco.com/cgi-bin/tablebuild.pl/cs-conacc

This problem has been documented in the Release-notes for version 3.2.0.20 online at:
http://www.cisco.com/univercd/cc/td/doc/product/webscale/css/css_sca/sca_320/v320b20.htm#xtocid13

	Motorola Timbuktu Pro Stack Based Buffer Overflow
	Unisys Business Information Server Stack Buffer Overflow
	Adobe Shockwave Player Director File Parsing Pointer Overwrite
	Cisco Physical Access Gateway Denial of Service Vulnerability
	Cisco ASA Web VPN Multiple Vulnerabilities
	Cisco Video Surveillance Products Denial of Service
	Apple Safari File Protocol Handler Information Disclosure and Denial of Service
	HP OpenView Network Node Manager Execution of Arbitrary Code and DoS
	Kaspersky PDF Evasion All Products
	Ikarus Multiple Generic Evasions Using CAB ZIP or RAR Files
	FRISK Fprot Generic Bypass Using TAR Files
	CA Service Desk Tomcat Cross Site Scripting Vulnerability
	Apple Java CColorUIResource Pointer Derference Code Execution Vulnerability
	Mozilla Firefox Java Applet Loading Vulnerability
	Adobe Reader/Acrobat TrueType Font Processing Memory Corruption