Cisco Security Advisory: Cisco IOS Software SSL VPN Denial of Service Vulnerability

james at jamesstewartsmith.com james at jamesstewartsmith.com
Wed Mar 26 16:51:55 UTC 2014


They don't come out often but it happens.  Looks like there were 5 or 6 of them.

James

-----Original Message-----
From: "rwebb at ropeguru.com" <rwebb at ropeguru.com>
Date: Wed, 26 Mar 2014 12:45:18 
To: <psirt at cisco.com>; <nanog at nanog.org>
Reply-To: Robert Webb <rwebb at ropeguru.com>
Subject: Re: Cisco Security Advisory: Cisco IOS Software SSL VPN Denial
 of Service Vulnerability


Is this normal for the list to diretly get Cisco security advisories 
or something new. First time I have seen these.

Robert

On Wed, 26 Mar 2014 12:10:00 -0400
  Cisco Systems Product Security Incident Response Team 
<psirt at cisco.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Cisco IOS Software SSL VPN Denial of Service Vulnerability
> 
> Advisory ID: cisco-sa-20140326-ios-sslvpn
> 
> Revision 1.0
> 
>For Public Release 2014 March 26 16:00  UTC (GMT)
> 
> Summary
> =======
> 
> A vulnerability in the Secure Sockets Layer (SSL) VPN subsystem of 
>Cisco IOS Software could allow an unauthenticated, remote attacker to 
>cause a denial of service (DoS) condition.
> 
> The vulnerability is due to a failure to process certain types of 
>HTTP requests. To exploit the vulnerability, an attacker could submit 
>crafted requests designed to consume memory to an affected device. An 
>exploit could allow the attacker to consume and fragment memory on 
>the affected device. This may cause reduced performance, a failure of 
>certain processes, or a restart of the affected device.
> 
> Cisco has released free software updates that address this 
>vulnerability.
> There are no workarounds to mitigate this vulnerability.
> 
> This advisory is available at the following link:
> http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140326-ios-sslvpn
> 
> Note: The March 26, 2014, Cisco IOS Software Security Advisory 
>bundled publication includes six Cisco Security Advisories. All 
>advisories address vulnerabilities in Cisco IOS Software. Each Cisco 
>IOS Software Security Advisory lists the Cisco IOS Software releases 
>that correct the vulnerability or vulnerabilities detailed in the 
>advisory as well as the Cisco IOS Software releases that correct all 
>Cisco IOS Software vulnerabilities in the March 2014 bundled 
>publication.
> 
> Individual publication links are in Cisco Event Response: Semiannual 
>Cisco IOS Software Security Advisory Bundled Publication at the 
>following link:
> 
> http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar14.html
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
> Comment: GPGTools - http://gpgtools.org
> 
> iQIcBAEBAgAGBQJTMeUtAAoJEIpI1I6i1Mx3BJ4P/Aytcbvaue49DkNDq0G+3C8+
> mv2W8/1HeqSvrmbc8QUJrelPA1kfYXGSf+7VX9lpwTdKKPrMPpkso1WXA7tK2t5i
> uiaqy8+KON/V3uFTjLhSBxZsMmSYws/uO8rV9oY7NLGfv2cwGztEbrKwz9g5Hsfc
> X3TlEgPaX73a/xb92eP//+e31ZNCPw6NRKmUfi6v7YG38WNghT7lqtI7GVlHiAkd
> atAqZ8NOyn7V+lHNjdOpAzFplo6R+GZCBfAFkEYuEU3dAAccMQbkaq6XgZAigycn
> dko3EWzfa+I/4RHDrRIa/XAY6Ogrnp/jmaTm4sGF2aqQOASH7X/oDU4X6KnD6ixo
> RicU1XeEsxgh5/FOf0wWo53BTcf/1nx34LkazZ6k6+jh8193IRWGb9J90E7S+/M8
> 2jbB8kwxuroH1qQ73jqguiuTC0eemPn2k5MS01ZAfcIEJPcA4OyTkuA/3tiISeYQ
> 0GesrJ3m7WOovFNSIq8v4WaTMcvZO9vHLZ/6BMcd4a+1uPnzPeR9rfI8JA2VA8Wd
> EAjbKdWA/kPxbVop2ajRjYTl7uMN6/g9SFP/eBjWpAFLnUfE6n1b24cn9v26OQpB
> ZxuMKA6eaeoT88KlouxudQcAgtpZZFzp4/ghWCy8q82WhHg4uDqw3R243rRxaBa7
> RF3x0wYuErbbC7N9m1UH
> =1Ixo
> -----END PGP SIGNATURE-----
> 




More information about the NANOG mailing list