Cisco Security Advisory: Cisco IOS Software SSL VPN Denial of Service Vulnerability

Justin M. Streiner streiner at cluebyfour.org
Wed Mar 26 14:06:24 UTC 2014 

These also get posted to other mailing lists, such as cisco-nsp.

jms

On Wed, 26 Mar 2014, rwebb at ropeguru.com wrote:

>
> Thanks everyone for the replies. I guess since they are done so infrequently, 
> I was not a list member the last go around.
>
> Robert
>
> On Wed, 26 Mar 2014 12:58:44 -0400
>  Andrew Latham <lathama at gmail.com> wrote:
>>  Robert
>>
>>  Perfectly normal, almost an announce list for issues like this.
>>
>>  On Wed, Mar 26, 2014 at 12:45 PM, rwebb at ropeguru.com 
>> <rwebb at ropeguru.com> wrote:
>> > 
>> > Is this normal for the list to diretly get Cisco security advisories or
>> >  something new. First time I have seen these.
>> > 
>> >  Robert
>> > 
>> > 
>> >  On Wed, 26 Mar 2014 12:10:00 -0400
>> >   Cisco Systems Product Security Incident Response Team <psirt at cisco.com>
>> >  wrote:
>> > > 
>> > >  -----BEGIN PGP SIGNED MESSAGE-----
>> > >  Hash: SHA1
>> > > 
>> > >  Cisco IOS Software SSL VPN Denial of Service Vulnerability
>> > > 
>> > >  Advisory ID: cisco-sa-20140326-ios-sslvpn
>> > > 
>> > >  Revision 1.0
>> > > 
>> > >  For Public Release 2014 March 26 16:00  UTC (GMT)
>> > > 
>> > >  Summary
>> > >  =======
>> > > 
>> > > A vulnerability in the Secure Sockets Layer (SSL) VPN subsystem of 
>> > > Cisco
>> > > IOS Software could allow an unauthenticated, remote attacker to cause a
>> > >  denial of service (DoS) condition.
>> > > 
>> > > The vulnerability is due to a failure to process certain types of HTTP
>> > > requests. To exploit the vulnerability, an attacker could submit 
>> > > crafted
>> > > requests designed to consume memory to an affected device. An exploit 
>> > > could
>> > > allow the attacker to consume and fragment memory on the affected 
>> > > device.
>> > > This may cause reduced performance, a failure of certain processes, or 
>> > > a
>> > >  restart of the affected device.
>> > > 
>> > > Cisco has released free software updates that address this 
>> > > vulnerability.
>> > >  There are no workarounds to mitigate this vulnerability.
>> > > 
>> > >  This advisory is available at the following link:
>> > > 
>> > >  http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140326-ios-sslvpn
>> > > 
>> > > Note: The March 26, 2014, Cisco IOS Software Security Advisory bundled
>> > > publication includes six Cisco Security Advisories. All advisories 
>> > > address
>> > > vulnerabilities in Cisco IOS Software. Each Cisco IOS Software Security
>> > >  Advisory lists the Cisco IOS Software releases that correct the
>> > >  vulnerability or vulnerabilities detailed in the advisory as well as 
>> > > the
>> > >  Cisco IOS Software releases that correct all Cisco IOS Software
>> > >  vulnerabilities in the March 2014 bundled publication.
>> > > 
>> > > Individual publication links are in Cisco Event Response: Semiannual 
>> > > Cisco
>> > > IOS Software Security Advisory Bundled Publication at the following 
>> > > link:
>> > > 
>> > >  http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar14.html
>> > >  -----BEGIN PGP SIGNATURE-----
>> > >  Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
>> > >  Comment: GPGTools - http://gpgtools.org
>> > > 
>> > >  iQIcBAEBAgAGBQJTMeUtAAoJEIpI1I6i1Mx3BJ4P/Aytcbvaue49DkNDq0G+3C8+
>> > >  mv2W8/1HeqSvrmbc8QUJrelPA1kfYXGSf+7VX9lpwTdKKPrMPpkso1WXA7tK2t5i
>> > >  uiaqy8+KON/V3uFTjLhSBxZsMmSYws/uO8rV9oY7NLGfv2cwGztEbrKwz9g5Hsfc
>> > >  X3TlEgPaX73a/xb92eP//+e31ZNCPw6NRKmUfi6v7YG38WNghT7lqtI7GVlHiAkd
>> > >  atAqZ8NOyn7V+lHNjdOpAzFplo6R+GZCBfAFkEYuEU3dAAccMQbkaq6XgZAigycn
>> > >  dko3EWzfa+I/4RHDrRIa/XAY6Ogrnp/jmaTm4sGF2aqQOASH7X/oDU4X6KnD6ixo
>> > >  RicU1XeEsxgh5/FOf0wWo53BTcf/1nx34LkazZ6k6+jh8193IRWGb9J90E7S+/M8
>> > >  2jbB8kwxuroH1qQ73jqguiuTC0eemPn2k5MS01ZAfcIEJPcA4OyTkuA/3tiISeYQ
>> > >  0GesrJ3m7WOovFNSIq8v4WaTMcvZO9vHLZ/6BMcd4a+1uPnzPeR9rfI8JA2VA8Wd
>> > >  EAjbKdWA/kPxbVop2ajRjYTl7uMN6/g9SFP/eBjWpAFLnUfE6n1b24cn9v26OQpB
>> > >  ZxuMKA6eaeoT88KlouxudQcAgtpZZFzp4/ghWCy8q82WhHg4uDqw3R243rRxaBa7
>> > >  RF3x0wYuErbbC7N9m1UH
>> > >  =1Ixo
>> > >  -----END PGP SIGNATURE-----
>> > > 
>> > 
>> >
>>
>>
>>
>>  -- 
>> ~  Andrew "lathama" Latham lathama at gmail.com http://lathama.net ~
>
>
>

More information about the NANOG mailing list