Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

PIX and OpenSSH Security buffer.adv advisory

Are any of the PIX OS versions susceptible to the latest OpenSSH Security buffer.adv advisory?

Cisco Employee

Re: PIX and OpenSSH Security buffer.adv advisory

None of the PIX, FWSM, IOS, VPN3000, VPN5000 or CatOS SSH code is based on OpenSSH code, and therefore is NOT susceptible to the latest vulnerability.

Not sure on the IDS code as yet, we're still checking into it.

I'd keep checking here ( if you're interested, when we know more I'd say we'll release an announcement here.

New Member

Re: PIX and OpenSSH Security buffer.adv advisory

CatOS is susceptible, PIX is not.

The following products, have their SSH server implementation based on the OpenSSH code, and are affected by the OpenSSH vulnerabilities.

* Cisco Catalyst Switching Software (CatOS)

* CiscoWorks 1105 Hosting Solution Engine (HSE)

* CiscoWorks 1105 Wireless LAN Solution Engine (WLSE)

* Cisco SN 5428 Storage Router

Vulnerable versions are:

* SN5428-2.5.1-K9

* SN5428-3.2.1-K9

* SN5428-3.2.2-K9

* SN5428-3.3.1-K9

* SN5428-3.3.2-K9

* SN5428-2-3.3.1-K9

* SN5428-2-3.3.2-K9

This does not include release sr2122-3.1.1-K9, which only contains SSL and no SSH. Cisco has not released code with SSH for the SN5420 storage router.

The following products, which incorporate a SSH server, have been confirmed to be not vulnerable to the OpenSSH vulnerabilities.

* Cisco IOS, both SSH version 1.5 and SSH version 2.0

* Cisco PIX Firewall

* Cisco Catalyst 6000 FireWall Service Module (FWSM)

* Cisco VPN3000 and Cisco VPN5000

No other Cisco products are currently known to be affected by these vulnerabilities.

New Member

Re: PIX and OpenSSH Security buffer.adv advisory

Just to clarify:

The CSIDS appliance is vulnerable (as per the updated advisory, and my own testing), but the IDSM is not.