Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1628
Views
5
Helpful
5
Replies

cisco-sa-20120328-ssh

Go to solution
TomTinsley
Level 1
Level 1

‎09-27-2012 11:38 AM - edited ‎03-20-2019 07:58 PM

This URL talks about a vulnarability with IOS code. 

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120328-ssh

But what is not clear is the following:

Under the section "Software Versions and Fixes" look for "12.2SE".  What version is the starting point for "Releases up to and including 12.2(58)SE1 are not vulnerable"?

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Phillip Remaker
Cisco Employee
Cisco Employee

‎09-27-2012 12:34 PM

Interesting!  That confuses me, too.  When in doubt, dig into Bug Toolkit.

Looking at the bug id of CSCtr49064 (noted in the bulletin) on Bug Toolkit, we see that the fix explicitly appears in 15.0(1)SE1 and 15.0(2)SE.

Looking at the release notes for 12.2(58)SE1, we see that this release that intoduced new SSH functionality to that codebase, so it would seem that the vulnerability was introduced that way.  Therefore, the whole 12.2(58)SE series seems to be affected (not fixed until 15.x), but the 12.2(55)SE series was never affected (older SSH codebase).

There is no clear indication that a regression was introduced, so I would assume that the entire 12.2(58)SE branch is affected, but the wording in the alert contradicts that assesment.  I will reach out to the PSIRT team for clarification.

Clearest course of action: To avoid the vulnerability, downgrade to 12.2(55)SE (latest) or uphtade to one of the fixed 15.x branches.

View solution in original post

0 Helpful

Go to solution
David White
Cisco Employee
Cisco Employee

‎09-27-2012 01:33 PM

Looks like Phil and I were working in parallel,  I confirmed with PSRT that versions

   12.2(1)SE -  12.2(58)SE1 are NOT vulnerable

but

   12.2(58)SE2 - IS Vulnerable

   12.2(58.1)SE2 - IS Vulnerable

So, the text in the PSRIT announcement is correct, but I would agree that it is a little confusing to read.

Sincerely,

David.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Phillip Remaker
Cisco Employee
Cisco Employee

‎09-27-2012 12:34 PM

Interesting!  That confuses me, too.  When in doubt, dig into Bug Toolkit.

Looking at the bug id of CSCtr49064 (noted in the bulletin) on Bug Toolkit, we see that the fix explicitly appears in 15.0(1)SE1 and 15.0(2)SE.

Looking at the release notes for 12.2(58)SE1, we see that this release that intoduced new SSH functionality to that codebase, so it would seem that the vulnerability was introduced that way.  Therefore, the whole 12.2(58)SE series seems to be affected (not fixed until 15.x), but the 12.2(55)SE series was never affected (older SSH codebase).

There is no clear indication that a regression was introduced, so I would assume that the entire 12.2(58)SE branch is affected, but the wording in the alert contradicts that assesment.  I will reach out to the PSIRT team for clarification.

Clearest course of action: To avoid the vulnerability, downgrade to 12.2(55)SE (latest) or uphtade to one of the fixed 15.x branches.

0 Helpful

Go to solution
TomTinsley
Level 1
Level 1
In response to Phillip Remaker

‎09-27-2012 12:49 PM

Thanks Phillip, good to know I was not the only one confused.  I see the points made from the release notes and appreciate you efforts.

0 Helpful

Go to solution
David White
Cisco Employee
Cisco Employee

‎09-27-2012 01:33 PM

Looks like Phil and I were working in parallel,  I confirmed with PSRT that versions

   12.2(1)SE -  12.2(58)SE1 are NOT vulnerable

but

   12.2(58)SE2 - IS Vulnerable

   12.2(58.1)SE2 - IS Vulnerable

So, the text in the PSRIT announcement is correct, but I would agree that it is a little confusing to read.

Sincerely,

David.

0 Helpful

Go to solution
TomTinsley
Level 1
Level 1
In response to David White

‎09-27-2012 01:39 PM

Good work gentlemen.  I appreciate the quick response.  Now I do not have to do 1115 IOS upgrades.

0 Helpful

Go to solution
Phillip Remaker
Cisco Employee
Cisco Employee
In response to TomTinsley

‎09-28-2012 06:08 PM

Just for the sake of completeness:

The PSIRT team at Cisco is awesome, and they answered the question in detail when we asked.

Turns out that:

CSCsk60020 SSHv2 spurious memory access

is the bug that actually inadvertently introduced the vulnerablity for the SE series (starting at 12.2(58)SE2), but the bug record of CSCtr49064 did not indicate that relationship (a process oversight).  So any release that does NOT have CSCsk60020 or DOES have CSCtr49604 is free of the problem.

Hats off to PSIRT for their lightning fast research. 

Here is the exhaustive list of KNOWN NOT VULNERABLE releases on the SE series:

12.2(1)SE

12.2(18)SE

12.2(18)SE1

12.2(20)SE

12.2(20)SE1

12.2(20)SE2

12.2(20)SE3

12.2(20)SE4

12.2(25)SE

12.2(25)SE2

12.2(25)SE3

12.2(35)SE

12.2(35)SE1

12.2(35)SE2

12.2(35)SE3

12.2(35)SE4

12.2(35)SE5

12.2(37)SE

12.2(37)SE1

12.2(40)SE

12.2(40)SE1

12.2(40)SE2

12.2(44)SE

12.2(44)SE1

12.2(44)SE2

12.2(44)SE3

12.2(44)SE4

12.2(44)SE5

12.2(44)SE6

12.2(46)SE

12.2(46)SE1

12.2(46)SE2

12.2(50)SE

12.2(50)SE1

12.2(50)SE2

12.2(50)SE3

12.2(50)SE4

12.2(50)SE5

12.2(52)SE

12.2(52)SE1

12.2(53)SE

12.2(53)SE1

12.2(53)SE2

12.2(54)SE

12.2(55)SE

12.2(55)SE1

12.2(55)SE2

12.2(55)SE3

12.2(55)SE4

12.2(55)SE5

12.2(55)SE6

12.2(58)SE

12.2(58)SE1

Customers Also Viewed These Support Documents