Re: Cisco Security Advisory: Cisco IOS Software SSL VPN Denial of Service Vulnerability
Hi All - The Cisco PSIRT has been sending IOS Security Advisories to the NANOG mailing list for well over a decade. We started this process a long time ago at the request of the list’s then-membership and haven’t been asked to change since. Admittedly, vulnerability disclosure/discussion/reporting has changed a bit over the years and we may be a bit overdue on rethinking the need to send to NANOG. :) Given that there are a number of forums that more directly address either Cisco-specific issues or are specific to vulnerability announcements, we’re happy to discontinue sending to the NANOG list directly. Cisco maintains a mailing list and RSS feed to which we send our Security Advisories, and you’re welcome to join if interested: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html#rsvifc Thanks, Clay signature.asc Description: Message signed with OpenPGP using GPGMail
RE: Cisco Security Advisory: Cisco IOS Software SSL VPN Denial of Service Vulnerability
Given that probably 80+% (a guess, but I'd be really surprised at a lower figure) of all internet traffic crosses at least one Cisco device somewhere, I think it would be a huge disservice to discontinue sending these emails. 10 to 15 emails per year isn't much overhead, compared to seemingly never-discussions on mandatory email legal signatures and other fluff. Chuck -Original Message- From: Clay Kossmeyer [mailto:ckoss...@cisco.com] Sent: Tuesday, April 01, 2014 2:44 PM To: nanog@nanog.org Cc: Clay Seaman-Kossmeyer (ckossmey) Subject: Re: Cisco Security Advisory: Cisco IOS Software SSL VPN Denial of Service Vulnerability Hi All - The Cisco PSIRT has been sending IOS Security Advisories to the NANOG mailing list for well over a decade. We started this process a long time ago at the request of the list's then-membership and haven't been asked to change since. Admittedly, vulnerability disclosure/discussion/reporting has changed a bit over the years and we may be a bit overdue on rethinking the need to send to NANOG. :) Given that there are a number of forums that more directly address either Cisco-specific issues or are specific to vulnerability announcements, we're happy to discontinue sending to the NANOG list directly. Cisco maintains a mailing list and RSS feed to which we send our Security Advisories, and you're welcome to join if interested: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy. html#rsvifc Thanks, Clay
Re: Cisco Security Advisory: Cisco IOS Software SSL VPN Denial of Service Vulnerability
On Tue, 01 Apr 2014 15:24:32 -0400, Chuck Church said: Given that probably 80+% (a guess, but I'd be really surprised at a lower figure) of all internet traffic crosses at least one Cisco device somewhere, I think it would be a huge disservice to discontinue sending these emails. Actually, the *real* value here is for those of us who are *not* Cisco shops, but the box at the other end of the wire *is*, so that we can be aware of what possible problems the other end may encounter pgp6sOTouUnck.pgp Description: PGP signature
Re: Cisco Security Advisory: Cisco IOS Software SSL VPN Denial of Service Vulnerability
--- ckoss...@cisco.com wrote: From: Clay Kossmeyer ckoss...@cisco.com [...] we’re happy to discontinue sending to the NANOG list directly. -- Instead of discontinuing them how about one email that contains all the details, rather than one email per detail. Similar to what I sent to the list earlier. For example: -- The Semiannual Cisco IOS Software Security Advisory has been released. For information please goto this URL: http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar14.html Advisory titles: - Session Initiation Protocol Denial of Service Vulnerability - Cisco 7600 Series Route Switch Processor 720 with 10 Gigabit Ethernet Uplinks Denial of Service Vulnerability - Internet Key Exchange Version 2 Denial of Service Vulnerability - Network Address Translation Vulnerabilities - SSL VPN Denial of Service Vulnerability - Crafted IPv6 Packet Denial of Service Vulnerability --- scott
Re: Cisco Security Advisory: Cisco IOS Software SSL VPN Denial of Service Vulnerability
The Cisco PSIRT has been sending IOS Security Advisories to the NANOG mailing list for well over a decade Thank you, much appreciated Given that there are a number of forums that more directly address either Cisco-specific issues or are specific to vulnerability announcements, were happy to discontinue sending to the NANOG list directly. They are lost in the noise of some endless threads Cisco maintains a mailing list and RSS feed to which we send our Security Advisories NANOG having a filtered feed of ISP backbone risk level advisorises seems fair brandon
Re: Cisco Security Advisory: Cisco IOS Software SSL VPN Denial of Service Vulnerability
On Tue, 1 Apr 2014, Brandon Butterworth wrote: The Cisco PSIRT has been sending IOS Security Advisories to the NANOG mailing list for well over a decade Thank you, much appreciated Given that there are a number of forums that more directly address either Cisco-specific issues or are specific to vulnerability announcements, we?re happy to discontinue sending to the NANOG list directly. They are lost in the noise of some endless threads Cisco maintains a mailing list and RSS feed to which we send our Security Advisories NANOG having a filtered feed of ISP backbone risk level advisorises seems fair brandon One of the reasons I subscribe to the NANOG list is to get these security advisories. I can always subscribe to another security list if necessary but I would would hope that CISCO would continue to send these notices, even if they are in a digest format. Ted Hatfield
Re: Cisco Security Advisory: Cisco IOS Software SSL VPN Denial of Service Vulnerability
On 04/01/2014 11:44 AM, Clay Kossmeyer wrote: Hi All - The Cisco PSIRT has been sending IOS Security Advisories to the NANOG mailing list for well over a decade. We started this process a long time ago at the request of the list’s then-membership and haven’t been asked to change since. Admittedly, vulnerability disclosure/discussion/reporting has changed a bit over the years and we may be a bit overdue on rethinking the need to send to NANOG. :) Given that there are a number of forums that more directly address either Cisco-specific issues or are specific to vulnerability announcements, we’re happy to discontinue sending to the NANOG list directly. Cisco maintains a mailing list and RSS feed to which we send our Security Advisories, and you’re welcome to join if interested: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html#rsvifc Its true this information is also available in other forums, but I don't have time to filter thru all of those. I *do* have time for nanog, however, because of the good cross section represented here and because it's worthwhile to be aware of what may be happening in other people's camps, because very frequently problems on one side of the wire can spill over and affect the other side as well. I think the advisories are highly relevent then and absolutely should be included here on nanog. Thanks.
Re: Cisco Security Advisory: Cisco IOS Software SSL VPN Denial of Service Vulnerability
From: Clay Kossmeyer ckoss...@cisco.com To: nanog@nanog.org Cc: Clay Seaman-Kossmeyer (ckossmey) ckoss...@cisco.com Sent: Tuesday, April 1, 2014 11:44 AM Subject: Re: Cisco Security Advisory: Cisco IOS Software SSL VPN Denial of Service Vulnerability Hi All - The Cisco PSIRT has been sending IOS Security Advisories to the NANOG mailing list for well over a decade. We started this process a long time ago at the request of the list’s then-membership and haven’t been asked to change since. Admittedly, vulnerability disclosure/discussion/reporting has changed a bit over the years and we may be a bit overdue on rethinking the need to send to NANOG. :) Given that there are a number of forums that more directly address either Cisco-specific issues or are specific to vulnerability announcements, we’re happy to discontinue sending to the NANOG list directly. Cisco maintains a mailing list and RSS feed to which we send our Security Advisories, and you’re welcome to join if interested: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html#rsvifc Thanks, Clay Touche'! such is NANOG...a few who post more frequently than most like to umm... Speak-UP. ./Randy
Re: Cisco Security Advisory: Cisco IOS Software SSL VPN Denial of Service Vulnerability
On Friday, March 28, 2014 05:48:29 AM Shrdlu wrote: Why? Personally, I think it's fine. It only happens (at most) every six months (and sometimes more like a year). I think it's fine too. As I'm sure you know, if you're a Cisco customer, you can subscribe to their internal notification services where you'll get this anyway. That they consolidate the most critical bug information and push it out to the typical operational mailing lists a couple of times a year is not such a problem, I'd say. For some, this could be the only way they find out. Mark. signature.asc Description: This is a digitally signed message part.
Re: Cisco Security Advisory: Cisco IOS Software SSL VPN Denial of Service Vulnerability
The Full-disclosure mailing list was recently... retired, I guess cisco thought NANOG was the next best place. On Wed, Mar 26, 2014 at 10:45 AM, rw...@ropeguru.com rw...@ropeguru.comwrote: Is this normal for the list to diretly get Cisco security advisories or something new. First time I have seen these. Robert On Wed, 26 Mar 2014 12:10:00 -0400 Cisco Systems Product Security Incident Response Team ps...@cisco.com wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco IOS Software SSL VPN Denial of Service Vulnerability Advisory ID: cisco-sa-20140326-ios-sslvpn Revision 1.0 For Public Release 2014 March 26 16:00 UTC (GMT) Summary === A vulnerability in the Secure Sockets Layer (SSL) VPN subsystem of Cisco IOS Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. The vulnerability is due to a failure to process certain types of HTTP requests. To exploit the vulnerability, an attacker could submit crafted requests designed to consume memory to an affected device. An exploit could allow the attacker to consume and fragment memory on the affected device. This may cause reduced performance, a failure of certain processes, or a restart of the affected device. Cisco has released free software updates that address this vulnerability. There are no workarounds to mitigate this vulnerability. This advisory is available at the following link: http://tools.cisco.com/security/center/content/ CiscoSecurityAdvisory/cisco-sa-20140326-ios-sslvpn Note: The March 26, 2014, Cisco IOS Software Security Advisory bundled publication includes six Cisco Security Advisories. All advisories address vulnerabilities in Cisco IOS Software. Each Cisco IOS Software Security Advisory lists the Cisco IOS Software releases that correct the vulnerability or vulnerabilities detailed in the advisory as well as the Cisco IOS Software releases that correct all Cisco IOS Software vulnerabilities in the March 2014 bundled publication. Individual publication links are in Cisco Event Response: Semiannual Cisco IOS Software Security Advisory Bundled Publication at the following link: http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar14.html -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJTMeUtAAoJEIpI1I6i1Mx3BJ4P/Aytcbvaue49DkNDq0G+3C8+ mv2W8/1HeqSvrmbc8QUJrelPA1kfYXGSf+7VX9lpwTdKKPrMPpkso1WXA7tK2t5i uiaqy8+KON/V3uFTjLhSBxZsMmSYws/uO8rV9oY7NLGfv2cwGztEbrKwz9g5Hsfc X3TlEgPaX73a/xb92eP//+e31ZNCPw6NRKmUfi6v7YG38WNghT7lqtI7GVlHiAkd atAqZ8NOyn7V+lHNjdOpAzFplo6R+GZCBfAFkEYuEU3dAAccMQbkaq6XgZAigycn dko3EWzfa+I/4RHDrRIa/XAY6Ogrnp/jmaTm4sGF2aqQOASH7X/oDU4X6KnD6ixo RicU1XeEsxgh5/FOf0wWo53BTcf/1nx34LkazZ6k6+jh8193IRWGb9J90E7S+/M8 2jbB8kwxuroH1qQ73jqguiuTC0eemPn2k5MS01ZAfcIEJPcA4OyTkuA/3tiISeYQ 0GesrJ3m7WOovFNSIq8v4WaTMcvZO9vHLZ/6BMcd4a+1uPnzPeR9rfI8JA2VA8Wd EAjbKdWA/kPxbVop2ajRjYTl7uMN6/g9SFP/eBjWpAFLnUfE6n1b24cn9v26OQpB ZxuMKA6eaeoT88KlouxudQcAgtpZZFzp4/ghWCy8q82WhHg4uDqw3R243rRxaBa7 RF3x0wYuErbbC7N9m1UH =1Ixo -END PGP SIGNATURE-
Re: Cisco Security Advisory: Cisco IOS Software SSL VPN Denial of Service Vulnerability
For anyone who was subscribed to the old full-disclosure list ... Fydor of nmap has brought it back to life. Infolink @ http://insecure.org/news/fulldisclosure/ Subscribe @ http://nmap.org/mailman/listinfo/fulldisclosure On Mar 26, 2014, at 10:52 AM, kendrick eastes keas...@gmail.com wrote: The Full-disclosure mailing list was recently... retired, I guess cisco thought NANOG was the next best place. On Wed, Mar 26, 2014 at 10:45 AM, rw...@ropeguru.com rw...@ropeguru.comwrote: Is this normal for the list to diretly get Cisco security advisories or something new. First time I have seen these. Robert On Wed, 26 Mar 2014 12:10:00 -0400 Cisco Systems Product Security Incident Response Team ps...@cisco.com wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco IOS Software SSL VPN Denial of Service Vulnerability Advisory ID: cisco-sa-20140326-ios-sslvpn Revision 1.0 For Public Release 2014 March 26 16:00 UTC (GMT) Summary === A vulnerability in the Secure Sockets Layer (SSL) VPN subsystem of Cisco IOS Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. The vulnerability is due to a failure to process certain types of HTTP requests. To exploit the vulnerability, an attacker could submit crafted requests designed to consume memory to an affected device. An exploit could allow the attacker to consume and fragment memory on the affected device. This may cause reduced performance, a failure of certain processes, or a restart of the affected device. Cisco has released free software updates that address this vulnerability. There are no workarounds to mitigate this vulnerability. This advisory is available at the following link: http://tools.cisco.com/security/center/content/ CiscoSecurityAdvisory/cisco-sa-20140326-ios-sslvpn Note: The March 26, 2014, Cisco IOS Software Security Advisory bundled publication includes six Cisco Security Advisories. All advisories address vulnerabilities in Cisco IOS Software. Each Cisco IOS Software Security Advisory lists the Cisco IOS Software releases that correct the vulnerability or vulnerabilities detailed in the advisory as well as the Cisco IOS Software releases that correct all Cisco IOS Software vulnerabilities in the March 2014 bundled publication. Individual publication links are in Cisco Event Response: Semiannual Cisco IOS Software Security Advisory Bundled Publication at the following link: http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar14.html -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJTMeUtAAoJEIpI1I6i1Mx3BJ4P/Aytcbvaue49DkNDq0G+3C8+ mv2W8/1HeqSvrmbc8QUJrelPA1kfYXGSf+7VX9lpwTdKKPrMPpkso1WXA7tK2t5i uiaqy8+KON/V3uFTjLhSBxZsMmSYws/uO8rV9oY7NLGfv2cwGztEbrKwz9g5Hsfc X3TlEgPaX73a/xb92eP//+e31ZNCPw6NRKmUfi6v7YG38WNghT7lqtI7GVlHiAkd atAqZ8NOyn7V+lHNjdOpAzFplo6R+GZCBfAFkEYuEU3dAAccMQbkaq6XgZAigycn dko3EWzfa+I/4RHDrRIa/XAY6Ogrnp/jmaTm4sGF2aqQOASH7X/oDU4X6KnD6ixo RicU1XeEsxgh5/FOf0wWo53BTcf/1nx34LkazZ6k6+jh8193IRWGb9J90E7S+/M8 2jbB8kwxuroH1qQ73jqguiuTC0eemPn2k5MS01ZAfcIEJPcA4OyTkuA/3tiISeYQ 0GesrJ3m7WOovFNSIq8v4WaTMcvZO9vHLZ/6BMcd4a+1uPnzPeR9rfI8JA2VA8Wd EAjbKdWA/kPxbVop2ajRjYTl7uMN6/g9SFP/eBjWpAFLnUfE6n1b24cn9v26OQpB ZxuMKA6eaeoT88KlouxudQcAgtpZZFzp4/ghWCy8q82WhHg4uDqw3R243rRxaBa7 RF3x0wYuErbbC7N9m1UH =1Ixo -END PGP SIGNATURE- signature.asc Description: Message signed with OpenPGP using GPGMail
Re: Cisco Security Advisory: Cisco IOS Software SSL VPN Denial of Service Vulnerability
On Wed, Mar 26, 2014 at 10:52:42AM -0600, kendrick eastes wrote: The Full-disclosure mailing list was recently... retired, I guess cisco thought NANOG was the next best place. Nope, they've been sending these things here for as long as I can remember. I have NFI why -- probably hubris, thinking that everyone running a network *must* have some Cisco somewhere. - Matt
Re: Cisco Security Advisory: Cisco IOS Software SSL VPN Denial of Service Vulnerability
On 3/27/2014 4:07 PM, Matt Palmer wrote: On Wed, Mar 26, 2014 at 10:52:42AM -0600, kendrick eastes wrote: The Full-disclosure mailing list was recently... retired, I guess cisco thought NANOG was the next best place. Nope, they've been sending these things here for as long as I can remember. I have NFI why -- probably hubris, thinking that everyone running a network *must* have some Cisco somewhere. There used to be cisco 'wigs with well-known names on NANOG. One of them was probably asked to do it. -- Requiescas in pace o email Two identifying characteristics of System Administrators: Ex turpi causa non oritur actio Infallibility, and the ability to learn from their mistakes. (Adapted from Stephen Pinker)
Re: Cisco Security Advisory: Cisco IOS Software SSL VPN Denial of Service Vulnerability
I wonder if they should be invited to only post a single message with the titles and links to the alerts so that people can follow it up. They should also include a link to their own list that they send the full alerts to. That way there could be some headline alerting to people that there is something in that topic available but avoids sending each alert to the list every time. Depends on compliance with the charter for the list but I think it might be nice list etiquette. Regards Alexander On 28/03/2014, at 3:27 pm, Larry Sheldon larryshel...@cox.net wrote: On 3/27/2014 4:07 PM, Matt Palmer wrote: On Wed, Mar 26, 2014 at 10:52:42AM -0600, kendrick eastes wrote: The Full-disclosure mailing list was recently... retired, I guess cisco thought NANOG was the next best place. Nope, they've been sending these things here for as long as I can remember. I have NFI why -- probably hubris, thinking that everyone running a network *must* have some Cisco somewhere. There used to be cisco 'wigs with well-known names on NANOG. One of them was probably asked to do it. -- Requiescas in pace o email Two identifying characteristics of System Administrators: Ex turpi causa non oritur actio Infallibility, and the ability to learn from their mistakes. (Adapted from Stephen Pinker)
Re: Cisco Security Advisory: Cisco IOS Software SSL VPN Denial of Service Vulnerability
On 3/27/2014 7:44 PM, Alexander Neilson wrote: I wonder if they should be invited to only post a single message with the titles and links to the alerts so that people can follow it up. Why? Personally, I think it's fine. It only happens (at most) every six months (and sometimes more like a year). Depends on compliance with the charter for the list but I think it might be nice list etiquette. I'm surprised at the level of concern over this, considering it's an event that has been going on since before most of those posting about this were even on this list. I'm hoping (in vain, I'm sure) that my gently pointing out that those posts are useful to many people, and that their occurrence predates most of you, will make this non-issue die away (and you make me REALLY MISS srh). While I still worked (I don't now; I'm retired), it was nice to have those alerts, because it could be checked against the *things* *that* *should* *be* *patched* for sanity. Even now, there's still Cisco stuff on my toy network, and I *still* care. Could we just stick to the interesting issues of IPv6, and SMTP, and move on? Please? -- You've confused equality of opportunity for equality of outcomes, and have seriously confused justice with equality. (Woodchuck)
Re: Cisco Security Advisory: Cisco IOS Software SSL VPN Denial of Service Vulnerability
Alexander Neilson alexan...@neilson.net.nz wrote: I wonder if they should be invited to only post a single message with the titles and links to the alerts so that people can follow it up. i would prefer that the header be in blue, the titles in green, and the urls in magenta, in comic sans, of course randy
Re: Cisco Security Advisory: Cisco IOS Software SSL VPN Denial of Service Vulnerability
On 3/27/2014 11:57 PM, Randy Bush wrote: Alexander Neilson alexan...@neilson.net.nz wrote: I wonder if they should be invited to only post a single message with the titles and links to the alerts so that people can follow it up. i would prefer that the header be in blue, the titles in green, and the urls in magenta, in comic sans, of course I prefer flat ASCII text. That will shut most of them up. -- Requiescas in pace o email Two identifying characteristics of System Administrators: Ex turpi causa non oritur actio Infallibility, and the ability to learn from their mistakes. (Adapted from Stephen Pinker)
Re: Cisco Security Advisory: Cisco IOS Software SSL VPN Denial of Service Vulnerability
On 3/28/2014 12:57 AM, Randy Bush wrote: Alexander Neilson alexan...@neilson.net.nz wrote: I wonder if they should be invited to only post a single message with the titles and links to the alerts so that people can follow it up. i would prefer that the header be in blue, the titles in green, and the urls in magenta, in comic sans, of course randy I disagree vehemently. That's far too simple of a system and doesn't convey the necessary information that should be in a summary document. Titles should be either cerise, amaranth or raspberry coloured, depending on the bug's severity, and the headers should be blue-gray, glaucous or steel blue depending on the day of the week the bug was discovered. Some people might whine that those colors are too close to each other, but they can just buy a colorimeter -- that's an operational problem anyways. I can agree to comic sans, as long as it blinks. Actually, we should probably just set up a committee for report styling. We really need an industry standard for this, and one that covers all possible reporting needs for at least the next 20 years. Shouldn't take more than a few weeks. I think I have a TPS report template around here that would be a great starting point :p
Re: Cisco Security Advisory: Cisco IOS Software SSL VPN Denial of Service Vulnerability
Is this normal for the list to diretly get Cisco security advisories or something new. First time I have seen these. Robert On Wed, 26 Mar 2014 12:10:00 -0400 Cisco Systems Product Security Incident Response Team ps...@cisco.com wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco IOS Software SSL VPN Denial of Service Vulnerability Advisory ID: cisco-sa-20140326-ios-sslvpn Revision 1.0 For Public Release 2014 March 26 16:00 UTC (GMT) Summary === A vulnerability in the Secure Sockets Layer (SSL) VPN subsystem of Cisco IOS Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. The vulnerability is due to a failure to process certain types of HTTP requests. To exploit the vulnerability, an attacker could submit crafted requests designed to consume memory to an affected device. An exploit could allow the attacker to consume and fragment memory on the affected device. This may cause reduced performance, a failure of certain processes, or a restart of the affected device. Cisco has released free software updates that address this vulnerability. There are no workarounds to mitigate this vulnerability. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140326-ios-sslvpn Note: The March 26, 2014, Cisco IOS Software Security Advisory bundled publication includes six Cisco Security Advisories. All advisories address vulnerabilities in Cisco IOS Software. Each Cisco IOS Software Security Advisory lists the Cisco IOS Software releases that correct the vulnerability or vulnerabilities detailed in the advisory as well as the Cisco IOS Software releases that correct all Cisco IOS Software vulnerabilities in the March 2014 bundled publication. Individual publication links are in Cisco Event Response: Semiannual Cisco IOS Software Security Advisory Bundled Publication at the following link: http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar14.html -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJTMeUtAAoJEIpI1I6i1Mx3BJ4P/Aytcbvaue49DkNDq0G+3C8+ mv2W8/1HeqSvrmbc8QUJrelPA1kfYXGSf+7VX9lpwTdKKPrMPpkso1WXA7tK2t5i uiaqy8+KON/V3uFTjLhSBxZsMmSYws/uO8rV9oY7NLGfv2cwGztEbrKwz9g5Hsfc X3TlEgPaX73a/xb92eP//+e31ZNCPw6NRKmUfi6v7YG38WNghT7lqtI7GVlHiAkd atAqZ8NOyn7V+lHNjdOpAzFplo6R+GZCBfAFkEYuEU3dAAccMQbkaq6XgZAigycn dko3EWzfa+I/4RHDrRIa/XAY6Ogrnp/jmaTm4sGF2aqQOASH7X/oDU4X6KnD6ixo RicU1XeEsxgh5/FOf0wWo53BTcf/1nx34LkazZ6k6+jh8193IRWGb9J90E7S+/M8 2jbB8kwxuroH1qQ73jqguiuTC0eemPn2k5MS01ZAfcIEJPcA4OyTkuA/3tiISeYQ 0GesrJ3m7WOovFNSIq8v4WaTMcvZO9vHLZ/6BMcd4a+1uPnzPeR9rfI8JA2VA8Wd EAjbKdWA/kPxbVop2ajRjYTl7uMN6/g9SFP/eBjWpAFLnUfE6n1b24cn9v26OQpB ZxuMKA6eaeoT88KlouxudQcAgtpZZFzp4/ghWCy8q82WhHg4uDqw3R243rRxaBa7 RF3x0wYuErbbC7N9m1UH =1Ixo -END PGP SIGNATURE-
Re: Cisco Security Advisory: Cisco IOS Software SSL VPN Denial of Service Vulnerability
They don't come out often but it happens. Looks like there were 5 or 6 of them. James -Original Message- From: rw...@ropeguru.com rw...@ropeguru.com Date: Wed, 26 Mar 2014 12:45:18 To: ps...@cisco.com; nanog@nanog.org Reply-To: Robert Webb rw...@ropeguru.com Subject: Re: Cisco Security Advisory: Cisco IOS Software SSL VPN Denial of Service Vulnerability Is this normal for the list to diretly get Cisco security advisories or something new. First time I have seen these. Robert On Wed, 26 Mar 2014 12:10:00 -0400 Cisco Systems Product Security Incident Response Team ps...@cisco.com wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco IOS Software SSL VPN Denial of Service Vulnerability Advisory ID: cisco-sa-20140326-ios-sslvpn Revision 1.0 For Public Release 2014 March 26 16:00 UTC (GMT) Summary === A vulnerability in the Secure Sockets Layer (SSL) VPN subsystem of Cisco IOS Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. The vulnerability is due to a failure to process certain types of HTTP requests. To exploit the vulnerability, an attacker could submit crafted requests designed to consume memory to an affected device. An exploit could allow the attacker to consume and fragment memory on the affected device. This may cause reduced performance, a failure of certain processes, or a restart of the affected device. Cisco has released free software updates that address this vulnerability. There are no workarounds to mitigate this vulnerability. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140326-ios-sslvpn Note: The March 26, 2014, Cisco IOS Software Security Advisory bundled publication includes six Cisco Security Advisories. All advisories address vulnerabilities in Cisco IOS Software. Each Cisco IOS Software Security Advisory lists the Cisco IOS Software releases that correct the vulnerability or vulnerabilities detailed in the advisory as well as the Cisco IOS Software releases that correct all Cisco IOS Software vulnerabilities in the March 2014 bundled publication. Individual publication links are in Cisco Event Response: Semiannual Cisco IOS Software Security Advisory Bundled Publication at the following link: http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar14.html -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJTMeUtAAoJEIpI1I6i1Mx3BJ4P/Aytcbvaue49DkNDq0G+3C8+ mv2W8/1HeqSvrmbc8QUJrelPA1kfYXGSf+7VX9lpwTdKKPrMPpkso1WXA7tK2t5i uiaqy8+KON/V3uFTjLhSBxZsMmSYws/uO8rV9oY7NLGfv2cwGztEbrKwz9g5Hsfc X3TlEgPaX73a/xb92eP//+e31ZNCPw6NRKmUfi6v7YG38WNghT7lqtI7GVlHiAkd atAqZ8NOyn7V+lHNjdOpAzFplo6R+GZCBfAFkEYuEU3dAAccMQbkaq6XgZAigycn dko3EWzfa+I/4RHDrRIa/XAY6Ogrnp/jmaTm4sGF2aqQOASH7X/oDU4X6KnD6ixo RicU1XeEsxgh5/FOf0wWo53BTcf/1nx34LkazZ6k6+jh8193IRWGb9J90E7S+/M8 2jbB8kwxuroH1qQ73jqguiuTC0eemPn2k5MS01ZAfcIEJPcA4OyTkuA/3tiISeYQ 0GesrJ3m7WOovFNSIq8v4WaTMcvZO9vHLZ/6BMcd4a+1uPnzPeR9rfI8JA2VA8Wd EAjbKdWA/kPxbVop2ajRjYTl7uMN6/g9SFP/eBjWpAFLnUfE6n1b24cn9v26OQpB ZxuMKA6eaeoT88KlouxudQcAgtpZZFzp4/ghWCy8q82WhHg4uDqw3R243rRxaBa7 RF3x0wYuErbbC7N9m1UH =1Ixo -END PGP SIGNATURE-
Re: Cisco Security Advisory: Cisco IOS Software SSL VPN Denial of Service Vulnerability
On Wed, 26 Mar 2014, rw...@ropeguru.com wrote: Is this normal for the list to diretly get Cisco security advisories or something new. First time I have seen these. They do this twice a year, all their advisories were sent here about half a year ago as well. -- Mikael Abrahamssonemail: swm...@swm.pp.se
Re: Cisco Security Advisory: Cisco IOS Software SSL VPN Denial of Service Vulnerability
Robert Perfectly normal, almost an announce list for issues like this. On Wed, Mar 26, 2014 at 12:45 PM, rw...@ropeguru.com rw...@ropeguru.com wrote: Is this normal for the list to diretly get Cisco security advisories or something new. First time I have seen these. Robert On Wed, 26 Mar 2014 12:10:00 -0400 Cisco Systems Product Security Incident Response Team ps...@cisco.com wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco IOS Software SSL VPN Denial of Service Vulnerability Advisory ID: cisco-sa-20140326-ios-sslvpn Revision 1.0 For Public Release 2014 March 26 16:00 UTC (GMT) Summary === A vulnerability in the Secure Sockets Layer (SSL) VPN subsystem of Cisco IOS Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. The vulnerability is due to a failure to process certain types of HTTP requests. To exploit the vulnerability, an attacker could submit crafted requests designed to consume memory to an affected device. An exploit could allow the attacker to consume and fragment memory on the affected device. This may cause reduced performance, a failure of certain processes, or a restart of the affected device. Cisco has released free software updates that address this vulnerability. There are no workarounds to mitigate this vulnerability. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140326-ios-sslvpn Note: The March 26, 2014, Cisco IOS Software Security Advisory bundled publication includes six Cisco Security Advisories. All advisories address vulnerabilities in Cisco IOS Software. Each Cisco IOS Software Security Advisory lists the Cisco IOS Software releases that correct the vulnerability or vulnerabilities detailed in the advisory as well as the Cisco IOS Software releases that correct all Cisco IOS Software vulnerabilities in the March 2014 bundled publication. Individual publication links are in Cisco Event Response: Semiannual Cisco IOS Software Security Advisory Bundled Publication at the following link: http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar14.html -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJTMeUtAAoJEIpI1I6i1Mx3BJ4P/Aytcbvaue49DkNDq0G+3C8+ mv2W8/1HeqSvrmbc8QUJrelPA1kfYXGSf+7VX9lpwTdKKPrMPpkso1WXA7tK2t5i uiaqy8+KON/V3uFTjLhSBxZsMmSYws/uO8rV9oY7NLGfv2cwGztEbrKwz9g5Hsfc X3TlEgPaX73a/xb92eP//+e31ZNCPw6NRKmUfi6v7YG38WNghT7lqtI7GVlHiAkd atAqZ8NOyn7V+lHNjdOpAzFplo6R+GZCBfAFkEYuEU3dAAccMQbkaq6XgZAigycn dko3EWzfa+I/4RHDrRIa/XAY6Ogrnp/jmaTm4sGF2aqQOASH7X/oDU4X6KnD6ixo RicU1XeEsxgh5/FOf0wWo53BTcf/1nx34LkazZ6k6+jh8193IRWGb9J90E7S+/M8 2jbB8kwxuroH1qQ73jqguiuTC0eemPn2k5MS01ZAfcIEJPcA4OyTkuA/3tiISeYQ 0GesrJ3m7WOovFNSIq8v4WaTMcvZO9vHLZ/6BMcd4a+1uPnzPeR9rfI8JA2VA8Wd EAjbKdWA/kPxbVop2ajRjYTl7uMN6/g9SFP/eBjWpAFLnUfE6n1b24cn9v26OQpB ZxuMKA6eaeoT88KlouxudQcAgtpZZFzp4/ghWCy8q82WhHg4uDqw3R243rRxaBa7 RF3x0wYuErbbC7N9m1UH =1Ixo -END PGP SIGNATURE- -- ~ Andrew lathama Latham lath...@gmail.com http://lathama.net ~
Re: Cisco Security Advisory: Cisco IOS Software SSL VPN Denial of Service Vulnerability
Thanks everyone for the replies. I guess since they are done so infrequently, I was not a list member the last go around. Robert On Wed, 26 Mar 2014 12:58:44 -0400 Andrew Latham lath...@gmail.com wrote: Robert Perfectly normal, almost an announce list for issues like this. On Wed, Mar 26, 2014 at 12:45 PM, rw...@ropeguru.com rw...@ropeguru.com wrote: Is this normal for the list to diretly get Cisco security advisories or something new. First time I have seen these. Robert On Wed, 26 Mar 2014 12:10:00 -0400 Cisco Systems Product Security Incident Response Team ps...@cisco.com wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco IOS Software SSL VPN Denial of Service Vulnerability Advisory ID: cisco-sa-20140326-ios-sslvpn Revision 1.0 For Public Release 2014 March 26 16:00 UTC (GMT) Summary === A vulnerability in the Secure Sockets Layer (SSL) VPN subsystem of Cisco IOS Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. The vulnerability is due to a failure to process certain types of HTTP requests. To exploit the vulnerability, an attacker could submit crafted requests designed to consume memory to an affected device. An exploit could allow the attacker to consume and fragment memory on the affected device. This may cause reduced performance, a failure of certain processes, or a restart of the affected device. Cisco has released free software updates that address this vulnerability. There are no workarounds to mitigate this vulnerability. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140326-ios-sslvpn Note: The March 26, 2014, Cisco IOS Software Security Advisory bundled publication includes six Cisco Security Advisories. All advisories address vulnerabilities in Cisco IOS Software. Each Cisco IOS Software Security Advisory lists the Cisco IOS Software releases that correct the vulnerability or vulnerabilities detailed in the advisory as well as the Cisco IOS Software releases that correct all Cisco IOS Software vulnerabilities in the March 2014 bundled publication. Individual publication links are in Cisco Event Response: Semiannual Cisco IOS Software Security Advisory Bundled Publication at the following link: http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar14.html -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJTMeUtAAoJEIpI1I6i1Mx3BJ4P/Aytcbvaue49DkNDq0G+3C8+ mv2W8/1HeqSvrmbc8QUJrelPA1kfYXGSf+7VX9lpwTdKKPrMPpkso1WXA7tK2t5i uiaqy8+KON/V3uFTjLhSBxZsMmSYws/uO8rV9oY7NLGfv2cwGztEbrKwz9g5Hsfc X3TlEgPaX73a/xb92eP//+e31ZNCPw6NRKmUfi6v7YG38WNghT7lqtI7GVlHiAkd atAqZ8NOyn7V+lHNjdOpAzFplo6R+GZCBfAFkEYuEU3dAAccMQbkaq6XgZAigycn dko3EWzfa+I/4RHDrRIa/XAY6Ogrnp/jmaTm4sGF2aqQOASH7X/oDU4X6KnD6ixo RicU1XeEsxgh5/FOf0wWo53BTcf/1nx34LkazZ6k6+jh8193IRWGb9J90E7S+/M8 2jbB8kwxuroH1qQ73jqguiuTC0eemPn2k5MS01ZAfcIEJPcA4OyTkuA/3tiISeYQ 0GesrJ3m7WOovFNSIq8v4WaTMcvZO9vHLZ/6BMcd4a+1uPnzPeR9rfI8JA2VA8Wd EAjbKdWA/kPxbVop2ajRjYTl7uMN6/g9SFP/eBjWpAFLnUfE6n1b24cn9v26OQpB ZxuMKA6eaeoT88KlouxudQcAgtpZZFzp4/ghWCy8q82WhHg4uDqw3R243rRxaBa7 RF3x0wYuErbbC7N9m1UH =1Ixo -END PGP SIGNATURE- -- ~ Andrew lathama Latham lath...@gmail.com http://lathama.net ~
Re: Cisco Security Advisory: Cisco IOS Software SSL VPN Denial of Service Vulnerability
These also get posted to other mailing lists, such as cisco-nsp. jms On Wed, 26 Mar 2014, rw...@ropeguru.com wrote: Thanks everyone for the replies. I guess since they are done so infrequently, I was not a list member the last go around. Robert On Wed, 26 Mar 2014 12:58:44 -0400 Andrew Latham lath...@gmail.com wrote: Robert Perfectly normal, almost an announce list for issues like this. On Wed, Mar 26, 2014 at 12:45 PM, rw...@ropeguru.com rw...@ropeguru.com wrote: Is this normal for the list to diretly get Cisco security advisories or something new. First time I have seen these. Robert On Wed, 26 Mar 2014 12:10:00 -0400 Cisco Systems Product Security Incident Response Team ps...@cisco.com wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco IOS Software SSL VPN Denial of Service Vulnerability Advisory ID: cisco-sa-20140326-ios-sslvpn Revision 1.0 For Public Release 2014 March 26 16:00 UTC (GMT) Summary === A vulnerability in the Secure Sockets Layer (SSL) VPN subsystem of Cisco IOS Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. The vulnerability is due to a failure to process certain types of HTTP requests. To exploit the vulnerability, an attacker could submit crafted requests designed to consume memory to an affected device. An exploit could allow the attacker to consume and fragment memory on the affected device. This may cause reduced performance, a failure of certain processes, or a restart of the affected device. Cisco has released free software updates that address this vulnerability. There are no workarounds to mitigate this vulnerability. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140326-ios-sslvpn Note: The March 26, 2014, Cisco IOS Software Security Advisory bundled publication includes six Cisco Security Advisories. All advisories address vulnerabilities in Cisco IOS Software. Each Cisco IOS Software Security Advisory lists the Cisco IOS Software releases that correct the vulnerability or vulnerabilities detailed in the advisory as well as the Cisco IOS Software releases that correct all Cisco IOS Software vulnerabilities in the March 2014 bundled publication. Individual publication links are in Cisco Event Response: Semiannual Cisco IOS Software Security Advisory Bundled Publication at the following link: http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar14.html -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJTMeUtAAoJEIpI1I6i1Mx3BJ4P/Aytcbvaue49DkNDq0G+3C8+ mv2W8/1HeqSvrmbc8QUJrelPA1kfYXGSf+7VX9lpwTdKKPrMPpkso1WXA7tK2t5i uiaqy8+KON/V3uFTjLhSBxZsMmSYws/uO8rV9oY7NLGfv2cwGztEbrKwz9g5Hsfc X3TlEgPaX73a/xb92eP//+e31ZNCPw6NRKmUfi6v7YG38WNghT7lqtI7GVlHiAkd atAqZ8NOyn7V+lHNjdOpAzFplo6R+GZCBfAFkEYuEU3dAAccMQbkaq6XgZAigycn dko3EWzfa+I/4RHDrRIa/XAY6Ogrnp/jmaTm4sGF2aqQOASH7X/oDU4X6KnD6ixo RicU1XeEsxgh5/FOf0wWo53BTcf/1nx34LkazZ6k6+jh8193IRWGb9J90E7S+/M8 2jbB8kwxuroH1qQ73jqguiuTC0eemPn2k5MS01ZAfcIEJPcA4OyTkuA/3tiISeYQ 0GesrJ3m7WOovFNSIq8v4WaTMcvZO9vHLZ/6BMcd4a+1uPnzPeR9rfI8JA2VA8Wd EAjbKdWA/kPxbVop2ajRjYTl7uMN6/g9SFP/eBjWpAFLnUfE6n1b24cn9v26OQpB ZxuMKA6eaeoT88KlouxudQcAgtpZZFzp4/ghWCy8q82WhHg4uDqw3R243rRxaBa7 RF3x0wYuErbbC7N9m1UH =1Ixo -END PGP SIGNATURE- -- ~ Andrew lathama Latham lath...@gmail.com http://lathama.net ~