New vulnerabilities in the
for SSH servers have been announced.
An affected network device, running an SSH server based on the OpenSSH
implementation, may be vulnerable to a Denial of Service (DoS) attack when an
exploit script is repeatedly executed against the same device. There are
workarounds available to mitigate the effects of these vulnerabilities.
This section provides details on affected products.
The following products, have their SSH server implementation based on
the OpenSSH code, and are affected by the OpenSSH vulnerabilities.
Cisco Catalyst Switching Software (CatOS)
Cisco's various Catalyst family of switches run CatOS-based releases
or IOS-based releases.
IOS-based releases are not vulnerable.
All K9 (crypto) images in 6.x, 7.x, and 8.x release trains are
affected by these vulnerabilities. CatOS releases 2.x, 3.x, 4.x and 5.x are not
vulnerable as they do not have SSH support.
The following Cisco Catalyst Switches are vulnerable:
- Catalyst 6000 series
- Catalyst 5000 series
- Catalyst 4000 series
- Catalyst 2948G, 2980G, 2980G-A, 4912G - use Catalyst 4000 series
To determine your software revision, type show
version command at the command line prompt.
Cisco Secure Intrusion Detection System (NetRanger) appliance
The following devices (running software version 3.0(1) through
4.1(1)) are vulnerable:
- IDS-42xx appliances
Cisco Network Analysis Modules (NAM) for the Cisco Catalyst 6000 and
6500 Series switches and Cisco 7600 Series routers
The following devices that have applied the K9 crypto patch and have
SSH enabled are vulnerable:
- WS-X6380-NAM, running software version 2.1(2) or 3.1(1a)
- WS-SVC-NAM-1, running software version 2.2(1a) or 3.1(1a)
- WS-SVC-NAM-2, running software version 2.2(1a) or
CiscoWorks 1105 Hosting Solution Engine (HSE)
CiscoWorks 1105 Wireless LAN Solution Engine (WLSE)
Cisco PGW 2200 Softswitch (formerly known as Cisco VSC 3000 and as
Cisco SC 2200)
Cisco has not released code with SSH for the SN5420 storage
Products Confirmed Not Vulnerable
The following products, which incorporate a SSH server, have been
confirmed to be not vulnerable to the OpenSSH
Cisco IOS, both SSH version 1.5 and SSH version 2.0
Cisco Secure Intrusion Detection System Catalyst Module (IDSM)—model
Cisco PIX Firewall
Cisco Catalyst 6000 FireWall Service Module (FWSM)
Cisco VPN 3000 Concentrators and Cisco VPN 5000
Cisco MDS 9000 Series Multilayer
No other Cisco products are currently known to be affected by these
The buffer size or the number of channels in the fixed code is now
correctly incremented only after a successful allocation where as initially
they were being set before an allocation. Upon an allocation failure, which
could be externally triggered, memory contents would be incorrectly erased by
the cleanup process. This would result in a corruption of the memory which
would eventually lead to a crash for the process using that memory.
Portable OpenSSH version (not OpenBSD version) 3.7p1 and 3.7.1p1
contain multiple vulnerabilities in the new PAM authentication code. These
vulnerabilities are not known to affect any Cisco products.
Cisco Catalyst Switching Software (CatOS)—This vulnerability is
documented as Bug ID
registered customers only)
If SSH is disabled the Catalyst switch will not be vulnerable to
these vulnerabilities. CatOS K9 (crypto) release 6.1 was the first CatOS
release which incorporated the SSH feature.
To verify if SSH has been configured on the switch type show
crypto key. If this shows you the RSA key then SSH has been configured
and enabled on the switch. To remove the crypto key type clear crypto
key RSA and this will disable the SSH server on the switch.
Cisco Network Analysis Modules (NAM)—This vulnerability is documented
as Bug ID
registered customers only)
To verify if the K9 crypto patch is installed, type the
show patch command. To verify if SSH access has been
enabled using the exsession on ssh command, type the
show ip command, and if the line starting with
"SSH:" shows "Enabled" you are vulnerable.
To turn off SSH access on the Cisco Network Analysis Modules (NAM),
type the exsession off ssh
Wherever possible, restrict access to the SSH server on the network
device. Allow access to the network device only from trusted workstations by
using ACLs / MAC filters that are available on the affected
When considering software upgrades, also consult
and any subsequent advisories to determine exposure and a complete upgrade
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current hardware and
software configurations will continue to be supported properly by the new
release. If the information is not clear, contact the Cisco Technical
Assistance Center ("TAC") or your contracted maintenance provider for
Cisco Catalyst Switching Software (CatOS)—CatOS release
- 6.4(7) for Catalyst 4000/5000/6000 series switches due out on
November 12, 2003
- 7.6(3a) for Catalyst 4000 series switches due out on September 30,
- 7.6(3a) for Catalyst 6000 series switches due out on September 26,
- 8.1(3) for Catalyst 6000 series switches due out on October 13,
- 8.2(1)GLX for Catalyst 4000 series switches due out on September
- 8.2(1) for Catalyst 6000 series switches due out in 4th Quarter
Software upgrades can be performed via the console interface. Please
refer to software release notes for instructions.
Cisco Secure Intrusion Detection System (NetRanger)
appliance—Software version 4.1(2), due out end of October, will have the fix.
Software version 3.1(5) will have the fix for software version 3.1; release
date to be determined.
Cisco Network Analysis Modules (NAM)—An updated k9 crypto patch for
the 3.1 images, due out middle of October, will have the fix.
CiscoWorks 1105 Hosting Solution Engine (HSE)—Software version 1.7.2,
due out October 10, will have the fix.
CiscoWorks 1105 Wireless LAN Solution Engine (WLSE)—Release date to
Cisco Content Service CSS11000 Switch series—Software versions
188.8.131.52s, 184.108.40.206s, 220.127.116.11s and 18.104.22.168s, due out October 3, will have
Cisco Application & Content Networking Software (ACNS)-Software
versions 5.1 and 5.0.7 will have the fix. Software version 5.0.7 is due out
BTS 10200 Softswitch-A new openssh package has been made available.
Please contact your Cisco SE for more information.
Cisco GSS 4480 Global Site Selector—Software version 1.1(0) code, due
out on October 10, will have the fix.
Cisco SN 5428 Storage Router—Software version 3.4.1, due out end of
September, will have the fix for the SN 5428 and SN 5428-2.
Cisco PGW 2200 Softswitch—Software version 1.0(2), due out end of
November, will have the fix.
The Cisco PSIRT is not aware of any malicious use of the
vulnerabilities described in this advisory, at this time.
Added Cisco Content Service CSS11000 Switch series and Cisco
Network Analysis Modules (NAM) as being affected.
Added an additional workaround for the CatOS in the Workaround
Added CatOS versions, Cisco Secure Intrusion Detection System
(NetRanger) appliance, and Cisco GSS 4480 Global Site Selector to the Affected
Products section; and Cisco Secure Intrusion Detection System Catalyst Module
(IDSM) to the not vulnerable list. Added Cisco Secure Intrusion Detection
System (NetRanger) appliance, and Cisco GSS 4480 Global Site Selector to the
Details section, and added Bug IDs for the products. Added Cisco Secure
Intrusion Detection System (NetRanger) appliance to the Software Versions and
Fixes section, and added upcoming fixes for the products.
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.
Contact your Cisco Representative
Third-Party Support Organizations
Contact your Third-Party Representative for assistance
Without Service Contracts
Contact Cisco Technical Assistance Center (TAC) with your product serial number: