Cisco ACE30 Application Control Engine Module and Cisco ACE 4710 Application Control Engine Denial of Service Vulnerability
Cisco Security Advisory
Emergency Support:
+1 877 228 7302 (toll-free within North America)
+1 408 525 6532 (International direct-dial)
Non-emergency Support:
Email: psirt@cisco.com
Support requests that are received via e-mail are typically acknowledged within 48 hours.
Cisco product security incident response is the responsibility of the Cisco Product Security Incident Response Team (PSIRT). The Cisco PSIRT is a dedicated, global team that manages the receipt, investigation, and public reporting of security vulnerability information that is related to Cisco products and networks. The on-call Cisco PSIRT works 24x7 with Cisco customers, independent security researchers, consultants, industry organizations, and other vendors to identify possible security issues with Cisco products and networks.
More information can be found in Cisco Security Vulnerability Policy available at https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html
cisco-sa-20160908-ace
Interim
1.2
1.0
2016-09-08T16:42:22
Initial public release.
1.1
2016-09-15T12:20:31
Updated the first fixed available software details.
1.2
2016-10-26T18:16:28
Updated the summary and replaced A5(x) with A5(3.5) in the Fixed Software table.
2016-09-08T16:30:00
2016-10-26T18:16:00
TVCE
A vulnerability in the SSL/TLS functions of the Cisco ACE30 Application Control Engine Module and the Cisco ACE 4700 Series Application Control Engine Appliances could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on the affected device.
The vulnerability is due to incomplete input validation checks in the SSL/TLS code. An attacker could exploit this vulnerability by sending specific SSL/TLS packets to the affected device. An exploit could allow the attacker to trigger a reload of the affected device.
Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160908-ace["https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160908-ace"]
This vulnerability affects all software versions running on the Cisco ACE30 Application Control Engine Module and Cisco ACE 4710 Application Control Engine prior to A5(3.5).
No other Cisco products are currently known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect the following Cisco products:
Cisco ACE XML Gateway
Cisco ACE Web Application Firewall
Cisco ACE GSS 4400 Series Global Site Selector Appliances
Cisco ACE10 Application Control Engine Module
Cisco ACE20 Application Control Engine Module
The Cisco ACE 4710 Application Control Engine appliance and the Cisco ACE30 Application Control Engine Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers are a load-balancing and application-delivery solution for data centers.
These products entered end-of-life cycle on July 26, 2013. For reference please see End-of-Sale and End-of-Life Announcement for the Cisco ACE Application Control Engine ACE30 Module["http://www.cisco.com/c/en/us/products/collateral/interfaces-modules/services-modules/eol_C51-728979.html"] and End-of-Sale and End-of-Life Announcement for the Cisco ACE 4710 Application Control Engine Hardware["http://www.cisco.com/c/en/us/products/collateral/application-networking-services/ace-4700-series-application-control-engine-appliances/eol_C51-728976.html"].
The vulnerability is triggered by specific SSL/TLS protocol packets. This vulnerability affects all ACE30 and ACE 4710 devices with SSL Termination, SSL End-to-End, or SSL Initiation configurations.
Exploitation of this vulnerability could cause an affected device to reload and generate a Network Process (NP) core file. To view the core file, administrators can issue the dir core: command in the ACE command-line interface (CLI).
The following system log messages may be observed when the ACE reloads:
%ACE-6-199008: DC controller:Ch1 asserts back pressure” and
%ACE-2-199006: Orderly reload started at by System.
Reload reason: DC Counter exceeds threshold : DC0_COUNTER = 1 | DC1_COUNTER = 0#012#012.”
Contact the Cisco Technical Assistance Center (TAC) to review the NP core file and determine whether the device has been compromised by exploitation of this vulnerability.
There are no workarounds that address this vulnerability.
Cisco will release free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html["http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html"].
Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized re-seller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades.
When considering software upgrades, customers are advised to consult the Cisco Security Advisories and Responses archive at http://www.cisco.com/go/psirt["http://www.cisco.com/go/psirt"] and review subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to upgrade contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco Technical Assistance Center (TAC): http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html["http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html"].
Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade.
Fixed Software
Cisco ACE Major Release
First Fixed Release
A1(x)
Affected; Migrate to A5(3.5)
A3(x)
Affected; Migrate to A5(3.5)
A4(x)
Affected; Migrate to A5(3.5)
A5(x)
A5(3.5)
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy["https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html"]. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.
Cisco PSIRT has observed impact to customers due to an Internet research project that was scanning SSL/TLS servers that had the consequence of triggering the vulnerability on the Cisco ACE30 and Cisco ACE 4710.
This vulnerability was discovered as part of handling customer support requests.
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. CISCO EXPECTS TO UPDATE THIS DOCUMENT AS NEW INFORMATION BECOMES AVAILABLE.
A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products.
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160908-ace
Cisco ACE30 Application Control Engine Module and Cisco ACE 4710 Application Control Engine Denial of Service Vulnerability
Cisco ACE Application Control Engine Module
Cisco ACE 4700 Series Application Control Engine Appliances
Cisco Application Control Engine and Modules Denial of Service Vulnerability
CSCvb16317
CSCvb16317
Complete.
CVE-2016-6399
CVRFPID-7365
CVRFPID-80725
7.8
7.4
AV:N/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:U/RC:C
There are no workarounds that address this vulnerability.
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160908-ace
Cisco ACE30 Application Control Engine Module and Cisco ACE 4710 Application Control Engine Denial of Service Vulnerability