[nsp] SSH updates? (was: Cisco Security Advisory: Cisco OpenSSL Implementation Vulnerability)

Wed Mar 17 14:30:10 EST 2004

On Wed, 2004-03-17 at 06:16, Cisco Systems Product Security Incident
Response Team wrote:
<snip>
>      * Cisco IOS - All 12.1(11)E and later IOS software crypto (56i and k2)
>        image releases in the 12.1E release train for the Cisco 7100 and 7200
>        Series Routers are affected by this vulnerability. All IOS software
>        crypto (k8, k9, and k91) image releases in the 12.2SY release train
>        for the Cisco Catalyst 6500 Series and Cisco 7600 Series Routers are
>        affected by this vulnerability. The SSH implementation in IOS is not
>        dependent on any OpenSSL code. SSH implementations in IOS do not
>        handle certificates, yet, and therefore do not use any SSL code for

SSH not *yet* handle certs.  Does this imply that there is hope for SSH
protocol v2 support in the future?

Can anyone from Cisco comment on this?

>        SSH. OpenSSL in 12.1E and 12.2SY release trains is only used for
>        providing the HTTPS and VPN Device Manager (VDM) services. This
>        vulnerability is documented in the Cisco Bug Toolkit (registered
>        customers only) as Bug ID CSCee00041. The HTTPS web service, that uses
>        the OpenSSL code, on the device is disabled by default. The no ip http
>        secure-server command may be used to disable the HTTPS web service on
>        the device, if required. The SSH and IPSec services in IOS are not
>        vulnerable to this vulnerability.
<snip>

-- 
Christopher McCrory
 "The guy that keeps the servers running"

chrismcc at pricegrabber.com
 http://www.pricegrabber.com

Let's face it, there's no Hollow Earth, no robots, and
no 'mute rays.' And even if there were, waxed paper is
no defense.  I tried it.  Only tinfoil works.