Cisco Security Advisory: Cisco IOS Software SSL VPN Denial of Service Vulnerability
keastes at gmail.com
Wed Mar 26 16:52:42 UTC 2014
The Full-disclosure mailing list was recently... retired, I guess cisco
thought NANOG was the next best place.
On Wed, Mar 26, 2014 at 10:45 AM, rwebb at ropeguru.com <rwebb at ropeguru.com>wrote:
> Is this normal for the list to diretly get Cisco security advisories or
> something new. First time I have seen these.
> On Wed, 26 Mar 2014 12:10:00 -0400
> Cisco Systems Product Security Incident Response Team <psirt at cisco.com>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>> Cisco IOS Software SSL VPN Denial of Service Vulnerability
>> Advisory ID: cisco-sa-20140326-ios-sslvpn
>> Revision 1.0
>> For Public Release 2014 March 26 16:00 UTC (GMT)
>> A vulnerability in the Secure Sockets Layer (SSL) VPN subsystem of Cisco
>> IOS Software could allow an unauthenticated, remote attacker to cause a
>> denial of service (DoS) condition.
>> The vulnerability is due to a failure to process certain types of HTTP
>> requests. To exploit the vulnerability, an attacker could submit crafted
>> requests designed to consume memory to an affected device. An exploit could
>> allow the attacker to consume and fragment memory on the affected device.
>> This may cause reduced performance, a failure of certain processes, or a
>> restart of the affected device.
>> Cisco has released free software updates that address this vulnerability.
>> There are no workarounds to mitigate this vulnerability.
>> This advisory is available at the following link:
>> Note: The March 26, 2014, Cisco IOS Software Security Advisory bundled
>> publication includes six Cisco Security Advisories. All advisories address
>> vulnerabilities in Cisco IOS Software. Each Cisco IOS Software Security
>> Advisory lists the Cisco IOS Software releases that correct the
>> vulnerability or vulnerabilities detailed in the advisory as well as the
>> Cisco IOS Software releases that correct all Cisco IOS Software
>> vulnerabilities in the March 2014 bundled publication.
>> Individual publication links are in Cisco Event Response: Semiannual
>> Cisco IOS Software Security Advisory Bundled Publication at the following
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
>> Comment: GPGTools - http://gpgtools.org
>> -----END PGP SIGNATURE-----
More information about the NANOG