Summary

• The Apache HTTPd server contains a denial of service vulnerability when it handles multiple, overlapping ranges. Multiple Cisco products may be affected by this vulnerability.

  Mitigations that can be deployed on Cisco devices within the network are available in the Cisco Applied Intelligence companion document for this Advisory: http://tools.cisco.com/security/center/viewAMBAlert.x?alertId=24024

  This advisory is posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20110830-apache.

Affected Products

• Cisco is currently evaluating products for possible exposure to this vulnerability. Products will only be listed in the Vulnerable Products or Products Confirmed Not Vulnerable sections of this security advisory when a final determination about exposure is made. Products that are not listed in either of these two sections are still being evaluated.

  Vulnerable Products

  This section will be updated when more information is available. The following products are confirmed to be affected by this vulnerability:

  • Cisco MDS 9000 NX-OS Software releases prior to 5.x are affected. Cisco MDS 9000 NX-OS Software releases 5.x and later are not affected.
  • Cisco SAN-OS 3.x.
  • Cisco TelePresence Video Communication Server (Cisco TelePresence VCS)
  • All Cisco CTS TelePresence Systems
  • Cisco Video Surveillance Manager (VSM)
  • Cisco Video Surveillance Operations Manager (VSOM)
  • Management Center for Cisco Security Agent. Cisco Security Agent (client software) is not affected.
  • Cisco Wireless Control System (WCS)
  • Cisco Wide Area Application Services (WAAS) Software
  • Cisco Quad
  • Cisco Network Collector
  • Cisco Nexus 1000v Series running software versions 4.2(1)SV1(5.1) and later
  • Cisco Mobility Services Engine
  • CiscoWorks Common Services
  • CiscoWorks LAN Management Solution

  Products Confirmed Not Vulnerable

  The following products are confirmed not vulnerable:

  • Cisco ASA 5500 Series Adaptive Security Appliances
  • Cisco Catalyst 6500 Series ASA Services Module
  • Cisco Catalyst 6500 Series Firewall Services Module
  • Cisco Fabric Manager
  • Cisco Identity Services Engine
  • Cisco Intercompany Media Engine
  • Cisco IOS Software
  • Cisco IOS XE Software
  • Cisco IOS XR Software
  • Cisco IP Interoperability and Collaboration System (IPICS)
  • Cisco IPS Software
  • Cisco Unified IP Phones
  • Cisco MDS 9000 NX-OS Software releases 5.x or later (prior versions are affected)
  • Cisco Nexus 7000 Series (further testing and verification showed that Cisco NX-OS on Nexus 7000 is not affected by this vulnerability)
  • Cisco Nexus 4000 Series
  • Cisco Nexus 3000 Series
  • Cisco Nexus 5000 Series
  • Cisco Nexus 1000v Series running software versions prior to 4.2(1)SV1(5.1)
  • Cisco Prime Central
  • Cisco Prime Optical
  • Cisco Prime Performance Manager
  • Cisco Secure Access Control System (ACS)
  • Cisco TelePresence Server
  • Cisco Unified Communications Manager (formerly Cisco CallManager)
  • Cisco Unity
  • Cisco Unity Connection
  • Cisco Wireless LAN Controllers (WLC)
  • Cisco Wireless Location Appliance
  • CiscoWorks Wireless LAN Solution Engine (WLSE)
  • Cisco Prime Network Control System (NCS)
  • Cisco Detector XT DDoS Mitigation Appliance
  • Cisco Guard XT DDoS Mitigation Appliance
  • Cisco Tidal Enterprise Orchestrator

  This section will be updated when more information is available.

Details

• The Apache HTTPd server contains a denial of service vulnerability when it handles multiple overlapping ranges. Multiple Cisco products may be affected by this vulnerability.

  The following Cisco bug IDs are being used to track potential exposure to this vulnerability. The following Cisco bug IDs do not confirm that a product is vulnerable; rather, the Cisco bug IDs indicate that the product is under investigation by the appropriate product teams.

  Cisco Product	Cisco bug ID
  Cisco ACE 4710 Appliance	CSCts35635
  Cisco ACE Application Control Engine Module	CSCts35610
  Cisco ACE GSS 4400 Series Global Site Selector (GSS)	CSCts33313
  Cisco ACE XML Gateway	CSCts33321
  Cisco Active Network Abstraction	CSCts33317
  Cisco ASA 5500 Series Adaptive Security Appliances	CSCts33180
  Cisco CNS Network Registrar	CSCts36064
  Cisco Conductor for Videoscape	CSCts32986
  Cisco Content Delivery Engine	CSCts36206
  Cisco Content Delivery System Internet Streamer	CSCts35643
  Cisco Detector XT DDoS Mitigation Appliance	CSCts33211
  Cisco Guard XT DDoS Mitigation Appliance	CSCts33210
  Cisco Healthpresence	CSCts36069
  Cisco Identity Services Engine	CSCts33092
  Cisco IP Interoperability and Collaboration System	CSCts33206
  Cisco IP Phones	CSCts33264
  Cisco IPS Software	CSCts33199
  Cisco MDS 9000 SAN Device Management	CSCts33220
  Cisco MDS 9000 Series Multilayer Switches	CSCts33294
  Cisco NAC Manager	CSCts32965
  Cisco NAC Profiler	CSCts33267
  Cisco NAC Server	CSCts32976
  Cisco NAC Guest Server	CSCts41870
  Cisco Network Analysis Module	CSCts33320
  Cisco Network Collector	CSCts72493
  Cisco Networking Services (CNS) Software	CSCts33279
  Cisco Nexus 1000v Series running software versions 4.2(1)SV1(5.1) or later	CSCug41608
  Cisco Nexus 5000 Series Switches	CSCts35605
  Cisco Nexus 7000 Series Switches	CSCts35665
  Cisco OnPlus Network Management and Automation	CSCts33287
  Cisco Prime Central	CSCts33004
  Cisco Prime Network Control System	CSCts33114
  Cisco Prime Performance Manager	CSCts36072
  Cisco Quad Collaboration	CSCts36158
  Cisco Secure Access Control System	CSCts33196
  Cisco Security Manager	CSCts33056
  Cisco Service Exchange Framework	CSCts33218
  Cisco Signaling Gateway Manager	CSCts33248
  Cisco Small Business Network Storage Systems	CSCts33288
  Cisco SSC System Manager	CSCts36187
  Cisco TelePresence Manager	CSCts33310
  Cisco TelePresence Multipoint Switch	CSCts33224
  Cisco TelePresence Server	CSCts33230
  Cisco CTS 500-32 Telepresence System Series	CSCts35874
  All Cisco CTS TelePresence Systems except Cisco CTS 500-32 TelePresence System Series	CSCts33276
  Cisco Telepresence System Integrator C Series	CSCts35860
  Cisco UCS B-Series Blade Servers	CSCts33291
  Cisco Unified Communications Manager	CSCts32992
  Cisco Unified Communications System Voice and Unified Communications (VOSS)	CSCts33271
  Cisco Unified MeetingPlace	CSCts33169
  Cisco Unified Operations Manager	CSCts33273
  Cisco Unified Presence Server	CSCts33257
  Cisco Unified Service Monitor	CSCts35893
  Cisco Unified Service Statistics Manager	CSCts36074
  Cisco Unity	CSCts33302
  Cisco Unity Connection	CSCts33260
  Cisco Video Surveillance Manager	CSCts33173
  Cisco Video Surveillance Operations Manager	CSCts33178
  Cisco Virtual Network Management	CSCts36207
  Cisco Voice Manager (CVM)	CSCts36152
  Cisco Wide Area Application Services (WAAS) Software	CSCts33254
  Cisco Wireless Control System (WCS)	CSCts33325
  Cisco Wireless Control System Navigator	CSCts33052
  Cisco Wireless LAN Controllers (WLC)	CSCts33327
  CiscoWorks Common Services	CSCts33049
  CiscoWorks LAN Management Solution (LMS)	CSCts35837
  Cisco Digital Media Suite Products	CSCts33189
  Management Center for Cisco Security Agents	CSCts33208
  Service Exchange Framework	CSCts36185
  Cisco Shared Network Management and Automation	CSCts33476

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2011-3192.

Workarounds

• Mitigations that can be deployed on Cisco devices within the network are available in the Cisco Applied Intelligence companion document for this advisory: http://tools.cisco.com/security/center/viewAMBAlert.x?alertId=24024

Fixed Software

• When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution.

  In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance.

  Product	First Fixed Releases
  Cisco MDS 9000 NX-OS Software	Releases prior to 5.x are affected. Releases 5.x and later are not affected. Migrate to 5.x or later.
  Cisco Nexus 1000v Series	Releases prior to 4.2(1)SV1(5.1) are not affected. Migrate to 5.2(1)SV3(1.1) or later
  Cisco TelePresence Video Communication Server	X7.0.2
  Cisco CTS 500-32 Telepresence System Series	1.8.0
  Cisco Video Surveillance Manager (VSM)	7.0(0.105) or later
  Cisco Video Surveillance Operations Manager (VSOM)	7.0(0.105) or later
  Management Center for Cisco Security Agent	5.2(0.312) in the 5.0 Release 6.0(2.151) in the 6.0 Release
  Cisco Wireless Control System (WCS)	7.0.220.0
  Cisco Quad	2.5(1)
  Cisco Network Collector	6.3.2
  Cisco Wide Area Application Services (WAAS) Software	4.4.3(a)

  This section will be updated when more information is available.

Exploitation and Public Announcements

• This vulnerability was initially reported to the Full Disclosure mailing list at the following link: http://seclists.org/fulldisclosure/2011/Aug/175

  Apache has confirmed that it is aware of exploitation of this vulnerability. Cisco is not aware of malicious exploitation of this vulnerability related specifically to Cisco products.

  Proof-of-concept code is available for this vulnerability.

URL

• http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20110830-apache

Revision History

• Revision 1.9	2014-November-20	Fixed information for Video Communication Server: fixed release is X7.0.2 instead of X7.0.1.
  Revision 1.8	2014-October-28	Added Nexus 1K as affected. Updated first fixed release information.
  Revision 1.7	2012-January-23	Updated the Software Versions and Fixes section.
  Revision 1.6	2011-September-13	Updated the Products Confirmed Not Vulnerable section.
  Revision 1.5	2011-September-08	Updated Vulnerable Products and Software Versions and Fixes sections.
  Revision 1.4	2011-September-06	Updated Vulnerable Products and Software Versions and Fixes sections.
  Revision 1.3	2011-September-02	Updated Vulnerable Products and Software Versions and Fixes sections. Added Cisco Network Collector to Vulnerable Products section.
  Revision 1.2	2011-September-01	Added Cisco Quad to Vulnerable Products section and revised Software Versions and Fixes section.
  Revision 1.1	2011-August-31	Updated Vulnerable Products, Products Confirmed Not Vulnerable, and Details sections with additional information about vulnerable and unaffected products.
  Revision 1.0	2011-August-30	Initial public release.

  Show Less