Cisco Security Advisory
Transport Layer Security Renegotiation Vulnerability
-
An industry-wide vulnerability exists in the Transport Layer Security (TLS) protocol that could impact any Cisco product that uses any version of TLS and SSL. The vulnerability exists in how the protocol handles session renegotiation and exposes users to a potential man-in-the-middle attack.
This advisory is posted at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20091109-tls.
-
Cisco is currently evaluating products for possible exposure to these TLS issues. Products will only be listed in the Vulnerable Products or Products Confirmed Not Vulnerable sections of this advisory when a final determination about product exposure is made. Products that are not listed in either of these two sections are still being evaluated.
Vulnerable Products
This section will be updated when more information is available. The following products are confirmed to be vulnerable:
- Cisco Internet Streamer CDS
- Cisco ACE 4700 Series Application Control Engine Appliances
- Cisco ACE Application Control Engine Module
- Cisco ACE GSS 4400 Series Global Site Selector Appliances
- Cisco ACE Web Application Firewall
- Cisco Wireless Control System
- Cisco Wireless LAN Controller (WLC)
Note: Extensible Authentication Protocol Transport Layer Security (EAP-TLS) and Protected Extensible Authentication Protocol (PEAP) are not affected by this vulnerability. - Cisco Wireless Location Appliance
- CiscoWorks Wireless LAN Solution Engine (WLSE)
- Cisco Digital Media Player
- Cisco Digital Media Manager
- Cisco Access Control Server (ACS)
- CiscoWorks Common Services
- Cisco Telepresence Recording Server
- Cisco NX-OS Software
- Cisco Video Surveillance Operations Manager Software
- Cisco Video Surveillance Media Server Software
- Cisco ASA 5500 Series Adaptive Security Appliances
- Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module (FWSM)
- Cisco AVS 3120 and 3180 Series Application Velocity System
- Cisco CSS 11500 Series Content Services Switches
The CSS 11500 Series Content Services Switches are affected by this vulnerability with default configurations. However, the client authentication feature can be enabled as mitigation/solution.
To enable or disable client authentication on a virtual SSL server, use the ssl-serverauthentication command under the ssl-proxy-list.
Note: By default, client authentication is disabled. After you enable client authentication on the CSS, you must specify a CA certificate that the CSS uses to verify client certificates. - Cisco Content Switching Module (CSM)
- Cisco Wide Area Application Services (WAAS)
- Cisco Application Networking Manager (ANM)
- Cisco Unified IP Phones
- Cisco ONS 15500 Series
- Cisco Unified Contact Center Products
- Cisco Security Agent (CSA)
- Cisco IP Communicator
- Cisco Network Registrar
- Cisco Unified Communications Manager (CallManager)
- Cisco Network Analysis Module Software (NAM)
- Cisco IronPort's Email Security Appliance (X-Series & C-Series)
- Cisco Spam & Virus Blocker (B-Series)
- Cisco IronPort's Web Security Appliance (S-Series)
- Cisco IronPort's Security Management Appliance (M-Series)
- Cisco IronPort's Encryption Appliance (IEA)
- Cisco Catalyst 6500 series SSL Services Module
- Cisco Pix
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_eol_notices_list.html .
Products Confirmed Not Vulnerable
The following products are confirmed not vulnerable:
- Cisco AnyConnect VPN Client
- Cisco Unified MeetingPlace
- Cisco Data Center Network Manager
- Cisco Service Control Subscriber Manager
- Cisco Secure Desktop (CSD)
- Cisco ASA Advanced Inspection and Prevention (AIP) Security Services Module
- Cisco Transport Manager (CTM)
- Cisco IOS SSL VPN
- Cisco IOS HTTP Secure Server
- Cisco Intrusion Prevention System (CIDS/IPS)
This section will be updated when more information is available.
-
TLS and its predecessor, SSL, are cryptographic protocols that provide security for communications over IP data networks such as the Internet. An industry-wide vulnerability exists in the TLS protocol that could impact any Cisco product that uses any version of TLS and SSL. The vulnerability exists in how the protocol handles session renegotiation and exposes users to a potential man-in-the-middle attack.
Note: Extensible Authentication Protocol Transport Layer Security (EAP-TLS) and Protected Extensible Authentication Protocol (PEAP) are not affected by this vulnerability.
The following Cisco Bug IDs are being used to track potential exposure to the SSL and TLS issues. The bugs listed below do not confirm that a product is vulnerable, but rather that the product is under investigation by the appropriate product teams.
Registered Cisco customers can view these bugs via Cisco's Bug Toolkit: http://www.cisco.com/pcgi-bin/Support/Bugtool/launch_bugtool.pl
Product
Bug ID
Cisco ACE 4700 Series Application Control Engine Appliances
Cisco ACE Application Control Engine Module
Cisco ACE GSS 4400 Series Global Site Selector Appliances
Cisco ACE Web Application Firewall
Cisco Adaptive Security Device Manager (ASDM)
Cisco AON Software
Cisco AON Healthcare for HIPAA and ePrescription
Cisco Application and Content Networking System (ACNS) Software
Cisco Application Networking Manager
Cisco ASA 5500 Series Adaptive Security Appliances
Cisco ASA Advanced Inspection and Prevention (AIP) Security Services Module
Cisco AVS 3100 Series Application Velocity System
Cisco Catalyst 6500 Series SSL Services Module
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module (FWSM)
Cisco CSS 11000 Series Content Services Switches
Cisco Unified SIP Phones
Cisco Data Mobility Manager
Cisco Digital Media Manager
Cisco Digital Media Players
Cisco Emergency Responder
Cisco Internet Streamer CDS
Cisco IOS Software
Cisco IOS XE Software
Cisco IOS XR Software
Cisco IP Communicator
CATOS
Cisco IronPort Appliances
Cisco NAC Appliance (Clean Access)
Cisco NAC Guest Server
Cisco NAC Profiler
Cisco Network Analysis Module Software (NAM)
Cisco Network Registrar
Cisco ONS 15500 Series
Cisco Physical Access Gateways
Cisco Physical Access Manager
Cisco QoS Device Manager
Cisco Secure Access Control Server (ACS)
CSCtd00725 and CSCtd69422
Cisco Secure Desktop
Cisco Secure Services Client
Cisco Security Agent CSA
Cisco Security Monitoring, Analysis and Response System (MARS)
Cisco Unified IP Phones
Cisco TelePresence Manager
Telepresence for Consumer
Cisco TelePresence Recording Server
Cisco Network Asset Collector
CSCtd04198 and CSCtd37007
Cisco Unified Communications Manager (CallManager)
Cisco Unified Business Attendant Console
Cisco Unified Contact Center Enterprise
Cisco Unified Contact Center Express
Cisco Unified Contact Center Management Portal
Cisco Unified Contact Center Products
Cisco Unified Department Attendant Console
Cisco Unified E-Mail Interaction Manager
Cisco Unified Enterprise Attendant Console
Cisco Unified Mobility
Cisco Unified Mobility Advantage
Cisco Unified Operations Manager
Cisco Unified Personal Communicator
Cisco Unified Presence
CSCtd05791 and CSCte81278
Cisco Unified Provisioning Manager
Cisco Unified Quick Connect
Cisco Unified Service Monitor
Cisco Unified Service Statistics Manager
Cisco Unified SIP Proxy
Cisco Unity
Cisco NX-OS Software
CSCtd00699 and CSCtd00703
Cisco Video Portal
Cisco Video Surveillance Media Server Software
Cisco Video Surveillance Operations Manager Software
Cisco Wide Area Application Services (WAAS)
Cisco Wireless Control System
Cisco Wireless LAN Controller (WLAN)
Cisco Wireless Location Appliance
CiscoWorks Common Services Software
CiscoWorks Wireless LAN Solution Engine (WLSE)
Linksys Routers
Not viewable in Bug Toolkit
WebEx Connect
Not viewable in Bug Toolkit
WebEx Event Center
Not viewable in Bug Toolkit
WebEx Meeting Center
Not viewable in Bug Toolkit
WebEx Meet Me Now (MMN)
Not viewable in Bug Toolkit
WebEx PCNow (PCN)
Not viewable in Bug Toolkit
WebEx Sales Center
Not viewable in Bug Toolkit
WebEx Support Center
Not viewable in Bug Toolkit
WebEx Training Center
Not viewable in Bug Toolkit
This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2009-3555.
-
There are no known workarounds.
-
This section will be updated to include fixed software versions for affected Cisco products as they become available.
When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance.
Each row of the software table below lists a product that has been patched to disable SSL/TLS renegotiation and the version(s) of software which contains the fix. A device running a release that is earlier than the release in a specific column (less than the First Fixed in Release) is known to be vulnerable. The release should be upgraded at least to the indicated release or a later version.
Product
First Fixed Releases
Cisco ASA 5500 Series Adaptive Security Appliances
8.0(5.6)
8.1(2.39)
8.2(1.16)
8.3(0.08)
7.2(4.44)
Cisco ACE 4700 Series Application Control Engine Appliances
3.0(0)A3(2.4.61)
Cisco ACE Application Control Engine Module
3.0(0)A2(2.2.28)
3.0(0)A2(2.3)
Cisco Application and Content Networking System (ACNS) Software
5.5.17
Cisco Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module (FWSM)
3.1(17)
3.2(15)
4.0(9)
4.1(1)
Cisco Internet Streamer CDS
2.6.0
Cisco Ironport's Email Security Appliance (X-series and C-series)
7.0.1 and above
Cisco Ironport's Web Security Appliance (S-series)
6.3.3 and above
Cisco Mobile Wireless Transport Manager (MWTM)
6.1(2)
Cisco Network Analysis Module Software (NAM)
4.1(1-patch2)
Cisco Network Collector
6.1
Cisco NX-OS Software (Nexus 5000)
4.1(3)N2(1a)
Cisco NX-OS Software (Nexus 7000)
4.2(3)
5.0
Cisco Security Agent CSA
6.0(1.126)
6.0(2.099)
Cisco Unified Communications Manager (CallManager)
6.1(5)
8.0(0.98000.106)
Cisco Unified Computing System Blade-Server
4.0(1a)N2(1.2h)
4.0(1a)N2(1.2j)
Cisco Unified IP Phones
RT: Release 9.0.3
TNP: Release 9.0.2
Cisco Unified Intelligent Contact Management Enterprise
7.5(8)
8.0(1)
Cisco Unity Connection
8.0(1)
Cisco Wide Area Application Services (WAAS)
4.1.7
4.2.1
Cisco Wireless LAN Controller (WLAN)
6.0(196.000)
Cisco Video Surveillance Media Server Software
4.2.1/6.2.1
Fixed Cisco ASA software can be downloaded from: http://www.cisco.com/pcgi-bin/tablebuild.pl/ASAPSIRT
All other fixed software can be downloaded from: http://www.cisco.com/cisco/psn/web/download/index.html
-
This vulnerability was initially discovered by Marsh Ray and Steve Dispensa from PhoneFactor, Inc.
Cisco is not aware of any malicious exploitation of this vulnerability.
Proof-of-concept exploit code has been published for this vulnerability.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Revision 1.15
2011-October-20
Updated Vulnerable Products and Products Confirmed Not Vulnerable
Revision 1.14
2010-July-22
Updated Vulnerable Products
Revision 1.13
2010-March-29
Updated Fixed Software Versions for CUCM
Revision 1.12
2010-March-10
Updated Fixed Software Versions for WAAS and WLC
Revision 1.11
2010-March-03
IOS HTTP Secure Secure added to Products confirmed not vulnerable
Revision 1.10
2010-February-26
Updated Fixed Software
Revision 1.9
2010-February-05
Updated Affected Products and Details Sections
Revision 1.8
2010-January-21
Updated Software Fixes Table and Products Confirmed Not Vulnerable
Revision 1.7
2010-January-04
Affected Products Update.
Revision 1.6
2009-December-18
Affected Products and Details Updates.
Revision 1.5
2009-December-14
EAP-TLS and PEAP not vulnerable.
Revision 1.4
2009-December-4
Details and Impact update.
Revision 1.3
2009-December-3
Affected products update.
Revision 1.2
2009-November-18
Affected products update.
Revision 1.1
2009-November-16
Affected products update.
Revision 1.0
2009-November-9
Initial public release.
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.