Summary

• Cisco IOS device may crash while processing malformed Secure Sockets Layer (SSL) packets. In order to trigger these vulnerabilities, a malicious client must send malformed packets during the SSL protocol exchange with the vulnerable device.

  Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker to decrypt any previously encrypted information.

  Cisco IOS is affected by the following vulnerabilities:

  • Processing ClientHello messages, documented as Cisco bug ID CSCsb12598 ( registered customers only)
    
  • Processing ChangeCipherSpec messages, documented as Cisco bug ID CSCsb40304 ( registered customers only)
    
  • Processing Finished messages, documented as Cisco bug ID CSCsd92405 ( registered customers only)
    

  Cisco has made free software available to address these vulnerabilities for affected customers. There are workarounds available to mitigate the effects of these vulnerabilities.

  This advisory is posted at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20070522-SSL

  Note: Another related advisory has been posted with this advisory. This additional advisory also describes a vulnerability related to cryptography that affects Cisco IOS. This related advisory is available at the following link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20070522-crypto

Affected Products

• Vulnerable Products

  These vulnerabilities affect all Cisco devices running Cisco IOS software configured to use the SSL protocol. The following application layer protocols in Cisco IOS use SSL:

  • Hyper Text Transfer Protocol over SSL (HTTPS). This is the most commonly used protocol that employs SSL.
    
  • Cisco Network Security (CNS) Agent with SSL support
    
  • Firewall Support of HTTPS Authentication Proxy
    
  • Cisco IOS Clientless SSL VPN (WebVPN) support
    

  Other protocols that use encryption to provide security but do not use SSL are not affected by these vulnerabilities. Specifically, IPSec and Secure Shell (SSH) are not affected.

  To determine the software running on a Cisco IOS product, log in to the device and issue the show version command to display the system banner. Cisco IOS software will identify itself as "Internetwork Operating System Software" or simply "IOS." On the next line of output, the image name will be displayed between parentheses, followed by "Version" and the Cisco IOS release name. Other Cisco devices will not have the show version command, or will give different output.

  Only Cisco IOS images that contain the Crypto Feature Set are vulnerable. Customers who are not running an IOS image with crypto support are not exposed to this vulnerability.

  Cisco IOS feature set naming indicates that IOS images with crypto support have 'K8' or 'K9' in the feature designator field.

  The following example shows output from a device running an IOS image with crypto support:

  Router>show version
  Cisco IOS Software, 7200 Software (C7200-IK9S-M), Version 12.3(14)T1, RELEASE SOFTWARE (fc1)
  Technical Support: http://www.cisco.com/techsupport
  Copyright (c) 1986-2005 by Cisco Systems, Inc.
  Compiled Thu 31-Mar-05 08:04 by yiyan
  

  Since the feature set designator (IK9S) contains 'K9', it can be determine that this feature set contains crypto support.

  Additional information about Cisco IOS release naming is available at the following link: http://www.cisco.com/en/US/products/sw/iosswrel/ps1828/ products_white_paper09186a008018305e.shtml.

  The following text describes how to recognize if any of the affected services are enabled on a device.

  Hyper Text Transfer Protocol Over SSL (HTTPS)

  To determine if a device has HTTPS enabled, enter the command show run | include ip http. The following example shows output from of a device that has HTTPS enabled:

  Router#show run | include secure-server               
  ip http secure-server
  

  The following example shows output from a device that does not have HTTPS enabled:

  Router#show run | include secure-server
  no ip http secure-server
  

  CNS Agent With SSL Support

  CNS Agent with SSL support can only be enabled on devices running a Cisco IOS image that supports encryption. The following example shows output from a device that has CNS Agent configured to support SSL:

  Router#show run | include cns config initial
  cns config initial 10.1.1.1 encrypt no-persist
  

  If the output does not contain the encrypt keyword the CNS Agent is not vulnerable.

  Firewall Support of HTTPS Authentication Proxy

  To determine if a device has authentication proxy for HTTPS enabled, enter the command show ip auth-proxy configuration. The following example shows output from a device that has authentication proxy for HTTPS enabled:

  Router#show ip auth-proxy configuration 
  Authentication cache time is 60 minutes
  Authentication Proxy Rule Configuration
  Auth-proxy name my_pxy
  http list not specified auth-cache-time 1 minutes          
  

  If the command does not produce any output, authentication proxy for HTTPS is not enabled.

  Cisco IOS Clientless SSL VPN (WebVPN) Enhanced Support

  To determine if a device has Cisco IOS Clientless SSL VPN (WebVPN) enhanced support enabled, enter the command show webvpn gateway. The following example shows output from a device that has Cisco IOS Clientless SSL VPN (WebVPN) enhanced support enabled:

  Router#show webvpn gateway                                                         
                                                                                  
  Gateway Name                       Admin  Operation                             
  ------------                       -----  ---------                             
  web-server                         up     up                                    
  

  If the command does not produces any output, Cisco IOS Clientless SSL VPN (WebVPN) enhanced support is not enabled.

  Products Confirmed Not Vulnerable

  No other Cisco products are currently known to be affected by these vulnerabilities.

Details

• SSL is a protocol designed to provide a secure connection between two hosts. The SSL Protocol is described in RFC4346. While not necessary for the understanding of this advisory, users are encouraged to consult the section "7.3 handshake Protocol Overview" in RFC4346 as well as Figure 1 in the same section. The text of the RFC4346 is available at the following link: http://tools.ietf.org/html/rfc4346#section-7.3.

  An attacker can trigger these vulnerabilities after establishing a TCP connection, but prior to the exchange of authentication credentials, such as username/password or certificate. The requirement of the complete TCP 3-way handshake reduces the probability that these vulnerabilities will be exploited through the use of spoofed IP addresses.

  An attacker intercepting traffic between two affected devices cannot exploit these vulnerabilities if the SSL session is already established because SSL protects against such injection. However, such an attack could abnormally terminate an existing session, via a TCP RST, for example. The attacker could then wait for a new SSL session to be established and inject malicious packets at the beginning of the new SSL session, thus triggering the vulnerability.

  Processing ClientHello Messages May Cause Crash

  A vulnerable device may crash when processing a malformed ClientHello message. The ClientHello message is the first to be sent when a client connects to a server. It can also be sent after the SSL session is established; in such cases, the message is sent within the encrypted tunnel.

  This vulnerability is documented as Cisco bug ID CSCsb12598 ( registered customers only)

  Processing ChangeCipherSpec Messages May Cause Crash

  A vulnerable device may crash when processing a malformed ChangeCipherSpec message. The ChangeCipherSpec message can only be sent after the ClientHello and ServerHello messages are exchanged. In most cases, the ChangeCipherSpec message is sent within the encrypted tunnel.

  This vulnerability is documented as Cisco bug ID CSCsb40304 ( registered customers only)

  Processing Finished Messages May Cause Crash

  A vulnerable device may crash when processing a malformed Finished message. This message can only be sent as a part of a SSL handshake, but not as the first message. The Finished message is always sent within the encrypted tunnel.

  This vulnerability is documented as Cisco bug ID CSCsd92405 ( registered customers only)

  Vulnerability Scoring Details

  Cisco is providing scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS).

  Cisco will provide a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks.

  Cisco PSIRT will set the bias in all cases to normal. Customers are encouraged to apply the bias parameter when determining the environmental impact of a particular vulnerability.

  CVSS is a standards based scoring method that conveys vulnerability severity and helps determine urgency and priority of response.

  Cisco has provided an FAQ to answer additional questions regarding CVSS at http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html.

  Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at https://sec.cloudapps.cisco.com/security/center/cvssCalculator.x.

  CSCsb12598 - Processing ClientHello messages Calculate the environmental score of CSCsb12598
  CVSS Base Score - 3.3
  Access Vector	Access Complexity	Authentication	Confidentiality Impact	Integrity Impact	Availability Impact	Impact Bias
  Remote	Low	Not Required	None	None	Complete	Normal
  Temporal Score - 2.7
  Exploitability		Remediation Level		Report Confidence
  Functional		Official Fix		Confirmed

  CSCsb40304 - Processing ChangeCipherSpec messages Calculate the environmental score of CSCsb40304
  CVSS Base Score - 3.3
  Access Vector	Access Complexity	Authentication	Confidentiality Impact	Integrity Impact	Availability Impact	Impact Bias
  Remote	Low	Not Required	None	None	Complete	Normal
  Temporal Score - 2.7
  Exploitability		Remediation Level		Report Confidence
  Functional		Official Fix		Confirmed

  CSCsd92405 - Processing Finished messages Calculate the environmental score of CSCsd92405
  CVSS Base Score - 3.3
  Access Vector	Access Complexity	Authentication	Confidentiality Impact	Integrity Impact	Availability Impact	Impact Bias
  Remote	Low	Not Required	None	None	Complete	Normal
  Temporal Score - 2.7
  Exploitability		Remediation Level		Report Confidence
  Functional		Official Fix		Confirmed

Workarounds

• The only way to prevent a device from being susceptible to the listed vulnerabilities is to disable the affected service(s). However, if regular maintenance and operation of the device relies on these services, there is no workaround.

  It is possible to mitigate these vulnerabilities by preventing unauthorized hosts from accessing affected devices. Additional mitigations that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory. This companion document is available at the following link: https://sec.cloudapps.cisco.com/security/center/content/CiscoAppliedMitigationBulletin/cisco-amb-20070522-SSL

  Control Plane Policing (CoPP)

  Control Plane Policing: IOS software versions that support Control Plane Policing (CoPP) can be configured to help protect the device from attacks that target the management and control planes. CoPP is available in Cisco IOS release trains 12.0S, 12.2SX, 12.2S, 12.3T, 12.4, and 12.4T.

  In the following CoPP example, the ACL entries that match the exploit packets with the permit action will be discarded by the policy-map drop function, while packets that match a "deny" action (not shown) are not affected by the policy-map drop function:

  ! Include deny statements up front for any protocols/ports/IP addresses that 
  !-- should not be impacted by CoPP
  
  ! Include permit statements for the protocols/ports that will be governed by CoPP
  access-list 100 permit tcp any any eq 443
  
  !-- Permit (Police or Drop)/Deny (Allow) all other Layer3 and Layer4
  !-- traffic in accordance with existing security policies and
  !-- configurations for traffic that is authorized to be sent
  !-- to infrastructure devices.
  !
  !-- Create a Class-Map for traffic to be policed by
  !-- the CoPP feature.
  !
  class-map match-all drop-SSL-class
   match access-group 100
  
  !
  !-- Create a Policy-Map that will be applied to the
  !-- Control-Plane of the device.
  !
  policy-map drop-SSL-policy
   class drop-SSL-class
     drop
     
  !-- Apply the Policy-Map to the Control-Plane of the
  !-- device.
  !
  control-plane
   service-policy input drop-SSL-policy
  

  Please note that in the 12.0S, 12.2S, and 12.2SX Cisco IOS trains, the policy-map syntax is different, as demonstrated by the following:

  policy-map drop-SSL-policy
   class drop-SSL-class
   police 32000 1500 1500 conform-action drop exceed-action drop
  

  NOTE: In the above CoPP example, the ACL entries with the "permit" action that match the exploit packets result in the discarding of those packets by the policy-map drop function, while packets that match the "deny" action are not affected by the policy-map drop function.

  Additional information on the configuration and use of the CoPP feature is available at the following links: http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6642/prod_white_paper0900aecd804fa16a.html and http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gtrtlimt.html.

  Access Control List (ACL)

  An Access Control List (ACL) can be used to help mitigate attacks targeting these vulnerabilities. ACLs can specify that only packets from legitimate sources are permitted to reach a device, and all others are to be dropped. The following example shows how to allow legitimate SSL sessions from trusted sources and deny all other SSL sessions:

  access-list 101 permit tcp host <legitimate_host_IP_address> host <router_IP_address> port 443
  access-list 101 deny tcp any any port 443
  

Fixed Software

• When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution.

  In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center ("TAC") or your contracted maintenance provider for assistance.

  Each row of the Cisco IOS software table (below) describes a release train. If a given release train is vulnerable, then the earliest possible releases that contain the fix (the "First Fixed Release") and the anticipated date of availability for each are listed in the "Rebuild" and "Maintenance" columns. A device running a release in the given train that is earlier than the release in a specific column (less than the First Fixed Release) is known to be vulnerable. The release should be upgraded at least to the indicated release or a later version (greater than or equal to the First Fixed Release label).

  For more information on the terms "Rebuild" and "Maintenance," consult the following URL: http://www.cisco.com/warp/public/620/1.html

  Major Release	Availability of Repaired Releases
  Affected 12.0-Based Release	Rebuild	Maintenance
  12.0T	Vulnerable; migrate to 12.2(46) or later
  12.0WC	12.0(5)WC17
  12.0XE	Vulnerable; migrate to 12.1(26)E8 or later
  12.0XH	Vulnerable; migrate to 12.2(46) or later
  12.0XI	Vulnerable; migrate to 12.2(46) or later
  12.0XK	Vulnerable; migrate to 12.2(46) or later
  12.0XL	Vulnerable; migrate to 12.2(46) or later
  12.0XN	Vulnerable; migrate to 12.2(46) or later
  12.0XQ	Vulnerable; migrate to 12.2(46) or later
  12.0XR	Vulnerable; migrate to 12.2(46) or later
  12.0XV	Vulnerable; migrate to 12.2(46) or later
  Affected 12.1-Based Release	Rebuild	Maintenance
  12.1	Vulnerable; migrate to 12.2(46) or later
  12.1AY	Vulnerable; migrate to 12.1(22)EA9 or later
  12.1CX	Vulnerable; migrate to 12.2(46) or later
  12.1E	12.1(26)E8
  	12.1(27b)E2; available 25-June-07
  12.1EA	12.1(22)EA9
  12.1EB	12.1(26)EB2; available 30-July-07
  12.1EC	Vulnerable; migrate to 12.3(21)BC or later
  12.1EW	Vulnerable; migrate to 12.2(25)EWA9 or later
  12.1EX	Vulnerable; migrate to 12.1(26)E8 or later
  12.1EY	Vulnerable; migrate to 12.1(26)E8 or later
  12.1T	Vulnerable; migrate to 12.2(46) or later
  12.1XC	Vulnerable; migrate to 12.2(46) or later
  12.1XD	Vulnerable; migrate to 12.2(46) or later
  12.1XF	Vulnerable; migrate 12.3(22) or later
  12.1XG	Vulnerable; migrate 12.3(22) or later
  12.1XH	Vulnerable; migrate to 12.2(46) or later
  12.1XI	Vulnerable; migrate to 12.2(46) or later
  12.1XJ	Vulnerable; migrate to 12.3(22) or later
  12.1XL	Vulnerable; migrate to 12.3(22) or later
  12.1XM	Vulnerable; migrate to 12.3(22) or later
  12.1XP	Vulnerable; migrate to 12.3(22) or later
  12.1XQ	Vulnerable; migrate to 12.3(22) or later
  12.1XT	Vulnerable; migrate to12.3(22) or later
  12.1XU	Vulnerable; migrate to12.3(22) or later
  12.1YB	Vulnerable; migrate to12.3(22) or later
  12.1YC	Vulnerable; migrate to 12.3(22) or later
  12.1YD	Vulnerable; migrate to12.3(22) or later
  12.1YE	Vulnerable; migrate to 12.3(22) or later
  12.1YF	Vulnerable; migrate to 12.3(22) or later
  12.1YI	Vulnerable; migrate to12.3(22) or later
  Affected 12.2-Based Release	Rebuild	Maintenance
  12.2	12.2(40a)	12.2(46)
  12.2B	Vulnerable; migrate to 12.4(10) or later
  12.2BC	Vulnerable; migrate to 12.3(21)BC or later
  12.2BW	Vulnerable; migrate 12.3(22) or later
  12.2BY	Vulnerable; migrate to 12.4(10) or later
  12.2BZ	Vulnerable; contact TAC
  12.2CX	Vulnerable; migrate to 12.3(21)BC or later
  12.2CY	Vulnerable; migrate to 12.3(21)BC or later
  12.2CZ	Vulnerable; contact TAC
  12.2DD	Vulnerable; migrate to 12.4(10) or later
  12.2EW	Vulnerable; migrate to 12.2(25)EWA9 or later
  12.2EWA	12.2(25)EWA9
  12.2EX	Vulnerable; migrate to 12.2(25)SEE3 or later
  12.2EY	Vulnerable; migrate to 12.2(25)SEE3 or later
  12.2EZ	Vulnerable; migrate to 12.2(25)SEE3 or later
  12.2FX	Vulnerable; migrate to 12.2(25)SEE3 or later
  12.2FY	Vulnerable; migrate to 12.2(25)SEG2 or later
  12.2FZ	Vulnerable; migrate to 12.2(35)SE or later
  12.2JA	Vulnerable; migrate to 12.3(11)JA or later
  12.2JK	Vulnerable; migrate to 12.4(11)T or later
  12.2S	12.2(14)S13a	12.2(25)S12
  	12.2(18)S0a
  	12.2(20)S9a
  12.2SB	12.2(28)SB4b
  	12.2(31)SB2
  12.2SBC	Vulnerable; migrate to 12.2(31)SB2 or later
  12.2SE		12.2(35)SE
  12.2SEA	Vulnerable; migrate to 12.2(25)SEE3 or later
  12.2SEB	Vulnerable; migrate to 12.2(25)SEE3 or later
  12.2SEC	Vulnerable; migrate to 12.2(25)SEE3 or later
  12.2SED	Vulnerable; migrate to 12.2(25)SEE3 or later
  12.2SEE	12.2(25)SEE3
  12.2SEF	Vulnerable; migrate to 12.2(35)SE or later
  12.2SEG	12.2(25)SEG2
  12.2SG	12.2(37)SG
  12.2SGA	12.2(31)SGA2; available 11-June-2007
  12.2SRA	12.2(33)SRA2
  12.2SU	Vulnerable; migrate to 12.4(10) or later
  12.2SV	12.2(28)SV2
  	12.2(29)SV3
  12.2SW	12.2(25)SW9
  12.2SX	Vulnerable; migrate to 12.2(18)SXE6a or later
  12.2SXA	Vulnerable; migrate to 12.2(18)SXE6a or later
  12.2SXB	Vulnerable; migrate to 12.2(18)SXE6a or later
  12.2SXD	Vulnerable; migrate to 12.2(18)SXE6a
  12.2SXE	12.2(18)SXE6a
  12.2SXF	12.2(18)SXF8
  12.2SY	Vulnerable; migrate to 12.2(18)SXE6a or later
  12.2T	Vulnerable; migrate 12.3(22) or later
  12.2TPC	12.2(8)TPC10b
  12.2XA	Vulnerable; migrate to 12.3(22) or later
  12.2XB	Vulnerable; migrate to 12.3(22) or later
  12.2XD	Vulnerable; migrate to 12.3(22) or later
  12.2XE	Vulnerable; migrate to 12.3(22) or later
  12.2XF	Vulnerable; migrate to 12.3(21)BC or later
  12.2XG	Vulnerable; migrate to 12.3(22) or later
  12.2XH	Vulnerable; migrate to 12.3(22) or later
  12.2XI	Vulnerable; migrate to 12.3(22) or later
  12.2XJ	Vulnerable; migrate to 12.3(22) or later
  12.2 XK	Vulnerable; migrate to 12.3(22) or later
  12.2XL	Vulnerable; migrate to 12.3(22) or later
  12.2XM	Vulnerable; migrate to 12.3(22) or later
  12.2XN	Vulnerable; migrate to 12.3(22) or later
  12.2XQ	Vulnerable; migrate to 12.3(22) or later
  12.2XR	Vulnerable; migrate to 12.3(22) or later
  12.2XS	Vulnerable; migrate to 12.3(22) or later
  12.2XT	Vulnerable; migrate to 12.3(22) or later
  12.2XU	Vulnerable; migrate to 12.3(22) or later
  12.2XV	Vulnerable; migrate to 12.3(22) or later
  12.2XW	Vulnerable; migrate to 12.3(22) or later
  12.2YA	Vulnerable; migrate to 12.3(22) or later
  12.2YB	Vulnerable; migrate to 12.3(22) or later
  12.2YC	Vulnerable; migrate to 12.3(22) or later
  12.2YD	Vulnerable; migrate to 12.4(10) or later
  12.2YE	Vulnerable; migrate to 12.2(25)S12 or later
  12.2YF	Vulnerable; migrate to 12.3(22) or later
  12.2YJ	Vulnerable; migrate to 12.3(22) or later
  12.2YL	Vulnerable; migrate to 12.4(10) or later
  12.2YM	Vulnerable; migrate to 12.4(10) or later
  12.2YN	Vulnerable; migrate to 12.4(10) or later
  12.2YQ	Vulnerable; migrate to 12.4(10) or later
  12.2YR	Vulnerable; migrate to 12.4(10) or later
  12.2YU	Vulnerable; migrate to 12.4(10) or later
  12.2YV	Vulnerable; migrate to 12.4(10) or later
  12.2YW	Vulnerable; migrate to 12.4(10) or later
  12.2YX	Vulnerable; migrate to 12.4(10) or later
  12.2YY	Vulnerable; migrate to 12.4(10) or later
  12.2YZ	Vulnerable; contact TAC
  12.2ZA	Vulnerable; migrate to 12.2(18)SXE6a or later
  12.2ZB	Vulnerable; migrate to 12.4(10) or later
  12.2ZD	Vulnerable; contact TAC
  12.2ZE	Vulnerable; migrate to 12.3(22) or later
  12.2ZF	Vulnerable; migrate to 12.4(10) or later
  12.2ZH	Vulnerable; contact TAC
  12.2ZJ	Vulnerable; migrate to 12.4(10) or later
  12.2ZL	Vulnerable; contact TAC
  12.2ZN	Vulnerable; migrate to 12.4(10) or later
  12.2ZU	Vulnerable; contact TAC
  12.2ZV	Vulnerable; contact TAC
  12.2ZW	Vulnerable; contact TAC
  12.2ZX	Vulnerable; contact TAC
  Affected 12.3-Based Release	Rebuild	Maintenance
  12.3	12.3(21a)	12.3(22)
  12.3B	Vulnerable; migrate to 12.4(10) or later
  12.3BC	12.3(17b)BC5	12.3(21)BC
  12.3JA		12.3(11)JA
  12.3JEA		12.3(8)JEA
  12.3JK	Vulnerable; contact TAC
  12.3JX	Vulnerable; contact TAC
  12.3T	Vulnerable; migrate to 12.4(10) or later
  12.3TPC	12.2(8)TPC10b
  12.3XA	Vulnerable; contact TAC
  12.3XB	Vulnerable; migrate to 12.4(10) or later
  12.3XC	Vulnerable; contact TAC
  12.3XD	Vulnerable; migrate to 12.4(10) or later
  12.3XE	Vulnerable; contact TAC
  12.3XF	Vulnerable; migrate to 12.4(10) or later
  12.3XG	Vulnerable; contact TAC
  12.3XH	Vulnerable; migrate to 12.4(10) or later
  12.3XI	Vulnerable; contact TAC
  12.3XJ	Vulnerable; migrate to 12.4(11)T or later
  12.3XK	Vulnerable; contact TAC
  12.3XQ	Vulnerable; migrate to 12.4(10) or later
  12.3XR	Vulnerable; contact TAC
  12.3XS	Vulnerable; migrate to 12.4(10) or later
  12.3XU	Vulnerable; migrate to 12.4(11)T or later
  12.3XW	Vulnerable; migrate to 12.4(11)T or later
  12.3XX	12.3(8)XX2d
  12.3YA	Vulnerable; contact TAC
  12.3YD	Vulnerable; migrate to 12.4(11)T or later
  12.3YF	Vulnerable; migrate to 12.4(11)T or later
  12.3YG	Vulnerable; migrate to 12.4(11)T or later
  12.3YH	Vulnerable; migrate to 12.4(11)T or later
  12.3YI	Vulnerable; migrate to 12.4(11)T or later
  12.3YK	Vulnerable; migrate to 12.4(11)T or later
  12.3YQ	Vulnerable; migrate to 12.4(11)T or later
  12.3YS	Vulnerable; migrate to 12.4(11)T or later
  12.3YT	Vulnerable; migrate to 12.4(11)T or later
  12.3YU	Vulnerable; contact TAC
  12.3YX	Vulnerable; migrate to 12.4(11)T or later
  12.3YZ	Vulnerable; contact TAC
  Affected 12.4-Based Release	Rebuild	Maintenance
  12.4	12.4(3h)	12.4(10)
  	12.4(7d)
  	12.4(8c)
  12.4T	12.4(4)T6	12.4(11)T
  	12.4(6)T7
  	12.4(9)T3
  12.4XA	Vulnerable; migrate to 12.4(11)T or later
  12.4XB	Vulnerable; contact TAC
  12.4XC	12.4(4)XC4
  12.4XD	12.4(4)XD5
  12.4XE	Vulnerable; contact TAC

Exploitation and Public Announcements

• The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this Advisory.

  These vulnerabilities were discovered by Cisco during internal testing.

URL

• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20070522-SSL

Revision History

• Revision 1.4	2008-June-27	Updated Summary to remove link and verbiage.
  Revision 1.3	2007-October-19	Replaced rebuild release for 12.4 from 12.4(3)g to 12.4(3h).
  Revision 1.2	2007-June-27	The first fixed release for 12.2SXF changed from 12.2(18)SXF7 to 12.2(18)SXF8.
  Revision 1.1	2007-May-25	Updated fixed IOS releases.
  Revision 1.0	2007-May-22	Initial public release.

  Show Less