6500 ACE MODULE: CVE-2010-4180 and CVE-2005-2969

imfvieira · ‎09-02-2014

Hello,

The version 3.0(0)A5(1.2) is vulnerable to these CVEs. I was looking for fix but it´s hard to find good information at Cisco Release Notes.

I was checking if the version A5(3.0) would fix it, but nothing is said in release notes.

Anyone know if newer version fixes it or know other source of information?

Thanks.

Felipe Lima · ‎09-15-2014

Hi,

The first vulnerability has been documented by the ACE team under Cisco

This vulnerability was resolved by the engineering team by disabling the

affected function call. This particular feature was not in use by the ACE

device. The issue was first resolved in Version 3.0(0)A4(1.0.72) back in

2011.

The second vulnerbility identified by CVE-2005-2969 does not have a public

bug ID. However, the engineering team has evaluated the impact of this

issue. The affected padding functions were never enabled in the ACE

software and the device is not affected. This would remain the case even

if SSLv2 were to be enabled on the device for legacy browser compatibility.

I hope it helps you.

Regards,

Felipe Lima

imfvieira · ‎09-18-2014

Hi Felipe,

Thanks for the answer,

There isn´t information about A5(3.0) in the bug description. Is there any public Cisco document about CVE-2005-2969?

Regards,

Felipe Lima · ‎09-18-2014

Hello,

I don't have much information besides this one. Sorry :(

Regards,

Felipe Lima