Solved: Vulnerability Issues in SSL - Bug ID CSCec45573

elipschutz · ‎10-02-2003

Does this affect all Cisco PIX firewall version, including 6.3(1)?

Need a quick answer.

Thanks,

Emanuel

scoclayton · ‎10-02-2003

Your presumptions are correct. All PIX code (after 6.0 since this is when we added SSL support for PDM) is vulnerable. The DDTS that is tracking this fix is CSCec31274. Right now, the only fix is 6.3(3.102) which is not available via CCO. I am not 100% sure what the timeframe is for getting a fix posted to CCO but if you would like to get a copy of the interim code with the fix, please open a TAC case and request this version. If you want a fixed version of 6.1 and/or 6.2, also open a TAC case and request that a build be made available. Hope this helps clarify.

Scott

View solution in original post

jmia · ‎10-02-2003

Emanuel -

From what I understand and from the 2nd URL (Cisco) I presume all PIX IOS is vunnerable, but I've not checked this with Cisco TAC yet, if Scott or Glenn / Mynul are reading this then please can you shed a little info on this.

http://www.cert.org/advisories/CA-2002-23.html - CERT

http://www.cisco.com/en/US/tech/tk583/tk618/technologies_security_advisory09186a00801c5975.shtml

Thanks,

scoclayton · ‎10-02-2003

Your presumptions are correct. All PIX code (after 6.0 since this is when we added SSL support for PDM) is vulnerable. The DDTS that is tracking this fix is CSCec31274. Right now, the only fix is 6.3(3.102) which is not available via CCO. I am not 100% sure what the timeframe is for getting a fix posted to CCO but if you would like to get a copy of the interim code with the fix, please open a TAC case and request this version. If you want a fixed version of 6.1 and/or 6.2, also open a TAC case and request that a build be made available. Hope this helps clarify.

Scott

elipschutz · ‎10-14-2003

Is there a date set for when the release with the fix will be published on CCO?

Thanks,

Best regards

Emanuel

sccgov-ec · ‎10-15-2003

I opened a TAC case yesterday requesting for the patch/fix for 6.2. The TAC engineer today reply back that the code 6.2.3 (released on Aug 28, 2003) has already addressd this vulnerability and has been available for download via COO.

This is not in line with what I understand so far. I feel I am a little bit confused. Please confirm if the PIX IOS that currently available for download since August 28, has already addressed this vulnerability. If not, when it will be available ?

Thanks.

- a confused customer-

scoclayton · ‎10-15-2003

Sorry, but you have a right to be confused. 6.2(3) does *not* contain the fix for this vulnerability. The actual DDTS for the SSL vulnerability on the PIX is CSCec31274 and is fixed in 6.2(3.102), 6.0(4.101), 6.1(5.101), and 6.3(3.102). DDTS CSCec45573 is actually for the FWSM (Firewall blade for the 6500/7600 chassis). Please contact your TAC engineer and request that one of these builds be posted for you. At this time, we have no immediate plans to release a new maintenance release for any of these version until sometime after the first of the year. All interim builds are fully TAC supported and only contain bug fixes (no new features) so the likelihood of running into new issues is relatively slim (only regression bugs caused by new fixes which are actually rare).

Again, sorry for the confusion. Hope this helps.

Scott