[Fwd: Cisco Catalyst SSH Protocol Mismatch Vulnerability]

[Kevin van der Raad <k.van.der.raad () itsec nl>]

We stumbled across the following, and wanted to share this with you:

--

Cisco Catalyst SSH Protocol Mismatch Vulnerability

Revision 1.0

For Public Release 2000 December 13 10:00 AM US/Pacific (UTC+0700)

     _________________________________________________________________


Summary

Non-Secure Shell (SSH) connection attempts to an enabled SSH service on
a Cisco Catalyst 6000, 5000, or 4000 switch might cause a "protocol
mismatch" error,
resulting in a supervisor engine failure.  The supervisor engine failure
causes the switch to fail to pass traffic and  reboots the switch. This
problem is resolved in
release 6.1(1c).  Due to a very limited number of customer downloads,
Cisco has chosen to notify affected customers directly.

This vulnerability has been assigned Cisco bug ID CSCds85763.

The full text of this advisory can be viewed at:
http://www.cisco.com/warp/public/707/catalyst-ssh-protocolmismatch-pub.shtml.

Affected Products

Catalyst 6000, 5000, 4000 images with SSH support.  Version 6.1(1),
6.1(1a), 6.1(1b) with 3 Data Encryption Standard (DES) features only.

Only the following images are affected:

    cat4000-k9.6-1-1.bin
    cat5000-sup3cvk9.6-1-1a.bin
    cat5000-sup3k9.6-1-1.bin
    cat5000-supgk9.6-1-1.bin
    cat6000-sup2cvk9.6-1-1b.bin
    cat6000-sup2k9.6-1-1b.bin
    cat6000-supcvk9.6-1-1b.bin
    cat6000-supk9.6-1-1b.bin

Cisco IOS 12.1 SSH implementation is not affected by this
vulnerability.  No other Cisco devices are affected.

Details

 Non SSH protocol connection attempts to the SSH service cause a
"protocol mismatch" error, which causes a switch to reload.  SSH is not
enabled by default, and
must be configured by the administrator.

To verify if your image is affected, run the command "show version".  If
the image filename is listed above, and you have enabled SSH, you are
affected by this
vulnerability and should upgrade to a fixed version immediately.

Impact

This vulnerability enables a Denial of Service attack on the Catalyst
switch.

Software Versions and Fixes

This defect is resolved in Cisco Catalyst version 6.1(1c).  Previous
affected versions will be deferred, and will no longer be available for
customer download.

Getting Fixed Software

Cisco is offering free software upgrades to remedy this vulnerability
for all affected customers.

Customers with contracts should obtain upgraded software through their
regular update channels. For most customers, this means that upgrades
should be obtained
via the Software Center on Cisco's Worldwide Web site at
http://www.cisco.com.

Customers without contracts should get their upgrades by contacting the
Cisco Technical Assistance Center (TAC). TAC contacts are as follows:

     +1 800 553 2447 (toll-free from within North America)
     +1 408 526 7209 (toll call from anywhere in the world)
     e-mail: tac () cisco com

Give the URL of this notice as evidence of your entitlement to a free
upgrade. Free upgrades for non-contract customers must be requested
through the TAC.
Please do not contact either "psirt () cisco com" or
"security-alert () cisco com" for software upgrades.

Workarounds

The workaround for this vulnerability is to disable SSH service.  For
most customers using this image, SSH support is necessary, so the
recommended action is to
upgrade to a fixed version.

Exploitation and Public Announcements

This vulnerability was reported to Cisco by a customer who discovered
the issue during routine networking tests.  There has been no public
disclosure, and no
reports of malicious activity with regard to this vulnerability.

Status of This Notice: FINAL

This is a final notice. Although Cisco cannot guarantee the accuracy of
all statements in this notice, all of the facts have been checked to the
best of our ability.
Cisco does not anticipate issuing updated versions of this notice unless
there is some material change in the facts. Should there be a
significant change in the facts,
Cisco may update this notice.


Distribution

This notice is available on Cisco's Worldwide Web site at
http://www.cisco.com/warp/public/707/catalyst-ssh-protocolmismatch-pub.shtml.
In addition to
Worldwide Web posting, a text version of this notice is clear-signed
with the Cisco PSIRT PGP key and is posted to the following e-mail
recipients:

     cust-security-announce () cisco com
     Various internal Cisco mailing lists
     Specifically affected customers

Future updates of this notice, if any, will be placed on Cisco's
Worldwide Web server, but may or may not be actively announced on
mailing lists or newsgroups.
Users concerned about this problem are encouraged to check the URL given
above for any updates.

Revision History

 Revision 1.0   For public release 13-DEC-2000 10:00 AM US/Pacific
(UTC+0700)


Cisco Security Procedures

Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and registering
to receive security
information from Cisco, is available on Cisco's Worldwide Web site at
http://www.cisco.com/warp/public/707/sec_incident_response.shtml. This
includes
instructions for press inquiries regarding Cisco security notices.

     _________________________________________________________________


This notice is copyright 2000 by Cisco Systems, Inc. This notice may be
redistributed freely after the release date given at the top of the
text, provided that
redistributed copies are complete and unmodified, including all date and
version information.

     _________________________________________________________________


--

Kevin van der Raad <mailto:k.van.der.raad () itsec nl>

ITsec Nederland B.V. <http://www.itsec.nl>
Exploit & Vulnerability Alerting Service

P.O. box 5120
NL 2000 GC Haarlem
Tel +31(0)23 542 05 78
Fax +31(0)23 534 54 77

--

ITsec Nederland B.V. may not be held liable for the effects or damages
caused by the direct or indirect use of the information or functionality
provided by this posting, nor the content contained within. Use them at
your own risk. ITsec Nederland B.V. bears no responsibility for misuse
of this posting or any derivatives thereof.