||Home : Advisories : Cisco Catalyst SSH Protocol Mismatch Vulnerability|
||Cisco Catalyst SSH Protocol Mismatch Vulnerability
||15th December 2000
Cisco Catalyst SSH Protocol Mismatch Vulnerability
For Public Release 2000 December 13 10:00 AM US/Pacific (UTC+0700)
Non-Secure Shell (SSH) connection attempts to an enabled SSH service on
a Cisco Catalyst 6000, 5000, or 4000 switch might cause a "protocol
resulting in a supervisor engine failure. The supervisor engine failure
causes the switch to fail to pass traffic and reboots the switch. This
problem is resolved in
release 6.1(1c). Due to a very limited number of customer downloads,
Cisco has chosen to notify affected customers directly.
This vulnerability has been assigned Cisco bug ID CSCds85763.
The full text of this advisory can be viewed at:
Catalyst 6000, 5000, 4000 images with SSH support. Version 6.1(1),
6.1(1a), 6.1(1b) with 3 Data Encryption Standard (DES) features only.
Only the following images are affected:
Cisco IOS 12.1 SSH implementation is not affected by this
vulnerability. No other Cisco devices are affected.
Non SSH protocol connection attempts to the SSH service cause a
"protocol mismatch" error, which causes a switch to reload. SSH is not
enabled by default, and
must be configured by the administrator.
To verify if your image is affected, run the command "show version". If
the image filename is listed above, and you have enabled SSH, you are
affected by this
vulnerability and should upgrade to a fixed version immediately.
This vulnerability enables a Denial of Service attack on the Catalyst
Software Versions and Fixes
This defect is resolved in Cisco Catalyst version 6.1(1c). Previous
affected versions will be deferred, and will no longer be available for
Getting Fixed Software
Cisco is offering free software upgrades to remedy this vulnerability
for all affected customers.
Customers with contracts should obtain upgraded software through their
regular update channels. For most customers, this means that upgrades
should be obtained
via the Software Center on Cisco's Worldwide Web site at
Customers without contracts should get their upgrades by contacting the
Cisco Technical Assistance Center (TAC). TAC contacts are as follows:
+1 800 553 2447 (toll-free from within North America)
+1 408 526 7209 (toll call from anywhere in the world)
Give the URL of this notice as evidence of your entitlement to a free
upgrade. Free upgrades for non-contract customers must be requested
through the TAC.
Please do not contact either "firstname.lastname@example.org" or
"email@example.com" for software upgrades.
The workaround for this vulnerability is to disable SSH service. For
most customers using this image, SSH support is necessary, so the
recommended action is to
upgrade to a fixed version.
Exploitation and Public Announcements
This vulnerability was reported to Cisco by a customer who discovered
the issue during routine networking tests. There has been no public
disclosure, and no
reports of malicious activity with regard to this vulnerability.
Status of This Notice: FINAL
This is a final notice. Although Cisco cannot guarantee the accuracy of
all statements in this notice, all of the facts have been checked to the
best of our ability.
Cisco does not anticipate issuing updated versions of this notice unless
there is some material change in the facts. Should there be a
significant change in the facts,
Cisco may update this notice.
This notice is available on Cisco's Worldwide Web site at
In addition to
Worldwide Web posting, a text version of this notice is clear-signed
with the Cisco PSIRT PGP key and is posted to the following e-mail
Various internal Cisco mailing lists
Specifically affected customers
Future updates of this notice, if any, will be placed on Cisco's
Worldwide Web server, but may or may not be actively announced on
mailing lists or newsgroups.
Users concerned about this problem are encouraged to check the URL given
above for any updates.
Revision 1.0 For public release 13-DEC-2000 10:00 AM US/Pacific
Cisco Security Procedures
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and registering
to receive security
information from Cisco, is available on Cisco's Worldwide Web site at
instructions for press inquiries regarding Cisco security notices.
This notice is copyright 2000 by Cisco Systems, Inc. This notice may be
redistributed freely after the release date given at the top of the
text, provided that
redistributed copies are complete and unmodified, including all date and
Kevin van der Raad
ITsec Nederland B.V. <http://www.itsec.nl>
Exploit & Vulnerability Alerting Service
P.O. box 5120
NL 2000 GC Haarlem
Tel +31(0)23 542 05 78
Fax +31(0)23 534 54 77
ITsec Nederland B.V. may not be held liable for the effects or damages
caused by the direct or indirect use of the information or functionality
provided by this posting, nor the content contained within. Use them at
your own risk. ITsec Nederland B.V. bears no responsibility for misuse
of this posting or any derivatives thereof.