Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Vulnerability Issues in SSL - Bug ID CSCec45573

Does this affect all Cisco PIX firewall version, including 6.3(1)?

Need a quick answer.

Thanks,

Emanuel

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Vulnerability Issues in SSL - Bug ID CSCec45573

Your presumptions are correct. All PIX code (after 6.0 since this is when we added SSL support for PDM) is vulnerable. The DDTS that is tracking this fix is CSCec31274. Right now, the only fix is 6.3(3.102) which is not available via CCO. I am not 100% sure what the timeframe is for getting a fix posted to CCO but if you would like to get a copy of the interim code with the fix, please open a TAC case and request this version. If you want a fixed version of 6.1 and/or 6.2, also open a TAC case and request that a build be made available. Hope this helps clarify.

Scott

5 REPLIES
Gold

Re: Vulnerability Issues in SSL - Bug ID CSCec45573

Emanuel -

From what I understand and from the 2nd URL (Cisco) I presume all PIX IOS is vunnerable, but I've not checked this with Cisco TAC yet, if Scott or Glenn / Mynul are reading this then please can you shed a little info on this.

http://www.cert.org/advisories/CA-2002-23.html - CERT

http://www.cisco.com/en/US/tech/tk583/tk618/technologies_security_advisory09186a00801c5975.shtml

Thanks,

Re: Vulnerability Issues in SSL - Bug ID CSCec45573

Your presumptions are correct. All PIX code (after 6.0 since this is when we added SSL support for PDM) is vulnerable. The DDTS that is tracking this fix is CSCec31274. Right now, the only fix is 6.3(3.102) which is not available via CCO. I am not 100% sure what the timeframe is for getting a fix posted to CCO but if you would like to get a copy of the interim code with the fix, please open a TAC case and request this version. If you want a fixed version of 6.1 and/or 6.2, also open a TAC case and request that a build be made available. Hope this helps clarify.

Scott

New Member

Re: Vulnerability Issues in SSL - Bug ID CSCec45573

Is there a date set for when the release with the fix will be published on CCO?

Thanks,

Best regards

Emanuel

New Member

Re: Vulnerability Issues in SSL - Bug ID CSCec45573

I opened a TAC case yesterday requesting for the patch/fix for 6.2. The TAC engineer today reply back that the code 6.2.3 (released on Aug 28, 2003) has already addressd this vulnerability and has been available for download via COO.

This is not in line with what I understand so far. I feel I am a little bit confused. Please confirm if the PIX IOS that currently available for download since August 28, has already addressed this vulnerability. If not, when it will be available ?

Thanks.

- a confused customer-

Re: Vulnerability Issues in SSL - Bug ID CSCec45573

Sorry, but you have a right to be confused. 6.2(3) does *not* contain the fix for this vulnerability. The actual DDTS for the SSL vulnerability on the PIX is CSCec31274 and is fixed in 6.2(3.102), 6.0(4.101), 6.1(5.101), and 6.3(3.102). DDTS CSCec45573 is actually for the FWSM (Firewall blade for the 6500/7600 chassis). Please contact your TAC engineer and request that one of these builds be posted for you. At this time, we have no immediate plans to release a new maintenance release for any of these version until sometime after the first of the year. All interim builds are fully TAC supported and only contain bug fixes (no new features) so the likelihood of running into new issues is relatively slim (only regression bugs caused by new fixes which are actually rare).

Again, sorry for the confusion. Hope this helps.

Scott

154
Views
0
Helpful
5
Replies