Cisco Security Advisory
Apache HTTPd Range Header Denial of Service Vulnerability
-
The Apache HTTPd server contains a denial of service vulnerability when it handles multiple, overlapping ranges. Multiple Cisco products may be affected by this vulnerability.
Mitigations that can be deployed on Cisco devices within the network are available in the Cisco Applied Intelligence companion document for this Advisory: http://tools.cisco.com/security/center/viewAMBAlert.x?alertId=24024
This advisory is posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20110830-apache.
-
Cisco is currently evaluating products for possible exposure to this vulnerability. Products will only be listed in the Vulnerable Products or Products Confirmed Not Vulnerable sections of this security advisory when a final determination about exposure is made. Products that are not listed in either of these two sections are still being evaluated.
Vulnerable Products
This section will be updated when more information is available. The following products are confirmed to be affected by this vulnerability:
- Cisco MDS 9000 NX-OS Software releases prior to 5.x are affected. Cisco MDS 9000 NX-OS Software releases 5.x and later are not affected.
- Cisco SAN-OS 3.x.
- Cisco TelePresence Video Communication Server (Cisco TelePresence VCS)
- All Cisco CTS TelePresence Systems
- Cisco Video Surveillance Manager (VSM)
- Cisco Video Surveillance Operations Manager (VSOM)
- Management Center for Cisco Security Agent. Cisco Security Agent (client software) is not affected.
- Cisco Wireless Control System (WCS)
- Cisco Wide Area Application Services (WAAS) Software
- Cisco Quad
- Cisco Network Collector
- Cisco Nexus 1000v Series running software versions 4.2(1)SV1(5.1) and later
- Cisco Mobility Services Engine
- CiscoWorks Common Services
- CiscoWorks LAN Management Solution
Products Confirmed Not Vulnerable
The following products are confirmed not vulnerable:
- Cisco ASA 5500 Series Adaptive Security Appliances
- Cisco Catalyst 6500 Series ASA Services Module
- Cisco Catalyst 6500 Series Firewall Services Module
- Cisco Fabric Manager
- Cisco Identity Services Engine
- Cisco Intercompany Media Engine
- Cisco IOS Software
- Cisco IOS XE Software
- Cisco IOS XR Software
- Cisco IP Interoperability and Collaboration System (IPICS)
- Cisco IPS Software
- Cisco Unified IP Phones
- Cisco MDS 9000 NX-OS Software releases 5.x or later (prior versions are affected)
- Cisco Nexus 7000 Series (further testing and verification showed that Cisco NX-OS on Nexus 7000 is not affected by this vulnerability)
- Cisco Nexus 4000 Series
- Cisco Nexus 3000 Series
- Cisco Nexus 5000 Series
- Cisco Nexus 1000v Series running software versions prior to 4.2(1)SV1(5.1)
- Cisco Prime Central
- Cisco Prime Optical
- Cisco Prime Performance Manager
- Cisco Secure Access Control System (ACS)
- Cisco TelePresence Server
- Cisco Unified Communications Manager (formerly Cisco CallManager)
- Cisco Unity
- Cisco Unity Connection
- Cisco Wireless LAN Controllers (WLC)
- Cisco Wireless Location Appliance
- CiscoWorks Wireless LAN Solution Engine (WLSE)
- Cisco Prime Network Control System (NCS)
- Cisco Detector XT DDoS Mitigation Appliance
- Cisco Guard XT DDoS Mitigation Appliance
- Cisco Tidal Enterprise Orchestrator
This section will be updated when more information is available.
-
The Apache HTTPd server contains a denial of service vulnerability when it handles multiple overlapping ranges. Multiple Cisco products may be affected by this vulnerability.
The following Cisco bug IDs are being used to track potential exposure to this vulnerability. The following Cisco bug IDs do not confirm that a product is vulnerable; rather, the Cisco bug IDs indicate that the product is under investigation by the appropriate product teams.
Cisco Product
Cisco bug ID
Cisco ACE 4710 Appliance
CSCts35635
Cisco ACE Application Control Engine Module
CSCts35610
Cisco ACE GSS 4400 Series Global Site Selector (GSS)
CSCts33313
Cisco ACE XML Gateway
CSCts33321
Cisco Active Network Abstraction
CSCts33317
Cisco ASA 5500 Series Adaptive Security Appliances
CSCts33180
Cisco CNS Network Registrar
CSCts36064
Cisco Conductor for Videoscape
CSCts32986
Cisco Content Delivery Engine
CSCts36206
Cisco Content Delivery System Internet Streamer
CSCts35643
Cisco Detector XT DDoS Mitigation Appliance
CSCts33211
Cisco Guard XT DDoS Mitigation Appliance
CSCts33210
Cisco Healthpresence
CSCts36069
Cisco Identity Services Engine
CSCts33092
Cisco IP Interoperability and Collaboration System
CSCts33206
Cisco IP Phones
CSCts33264
Cisco IPS Software
CSCts33199
Cisco MDS 9000 SAN Device Management
CSCts33220
Cisco MDS 9000 Series Multilayer Switches
CSCts33294
Cisco NAC Manager
CSCts32965
Cisco NAC Profiler
CSCts33267
Cisco NAC Server
CSCts32976
Cisco NAC Guest Server
CSCts41870
Cisco Network Analysis Module
CSCts33320
Cisco Network Collector
CSCts72493
Cisco Networking Services (CNS) Software
CSCts33279
Cisco Nexus 1000v Series running software versions 4.2(1)SV1(5.1) or later
CSCug41608
Cisco Nexus 5000 Series Switches
CSCts35605
Cisco Nexus 7000 Series Switches
CSCts35665
Cisco OnPlus Network Management and Automation
CSCts33287
Cisco Prime Central
CSCts33004
Cisco Prime Network Control System
CSCts33114
Cisco Prime Performance Manager
CSCts36072
Cisco Quad Collaboration
CSCts36158
Cisco Secure Access Control System
CSCts33196
Cisco Security Manager
CSCts33056
Cisco Service Exchange Framework
CSCts33218
Cisco Signaling Gateway Manager
CSCts33248
Cisco Small Business Network Storage Systems
CSCts33288
Cisco SSC System Manager
CSCts36187
Cisco TelePresence Manager
CSCts33310
Cisco TelePresence Multipoint Switch
CSCts33224
Cisco TelePresence Server
CSCts33230
Cisco CTS 500-32 Telepresence System Series
CSCts35874
All Cisco CTS TelePresence Systems except Cisco CTS 500-32 TelePresence System Series
CSCts33276
Cisco Telepresence System Integrator C Series
CSCts35860
Cisco UCS B-Series Blade Servers
CSCts33291
Cisco Unified Communications Manager
CSCts32992
Cisco Unified Communications System Voice and Unified Communications (VOSS)
CSCts33271
Cisco Unified MeetingPlace
CSCts33169
Cisco Unified Operations Manager
CSCts33273
Cisco Unified Presence Server
CSCts33257
Cisco Unified Service Monitor
CSCts35893
Cisco Unified Service Statistics Manager
CSCts36074
Cisco Unity
CSCts33302
Cisco Unity Connection
CSCts33260
Cisco Video Surveillance Manager
CSCts33173
Cisco Video Surveillance Operations Manager
CSCts33178
Cisco Virtual Network Management
CSCts36207
Cisco Voice Manager (CVM)
CSCts36152
Cisco Wide Area Application Services (WAAS) Software
CSCts33254
Cisco Wireless Control System (WCS)
CSCts33325
Cisco Wireless Control System Navigator
CSCts33052
Cisco Wireless LAN Controllers (WLC)
CSCts33327
CiscoWorks Common Services
CSCts33049
CiscoWorks LAN Management Solution (LMS)
CSCts35837
Cisco Digital Media Suite Products
CSCts33189
Management Center for Cisco Security Agents
CSCts33208
Service Exchange Framework
CSCts36185
Cisco Shared Network Management and Automation
CSCts33476
This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2011-3192.
-
Mitigations that can be deployed on Cisco devices within the network are available in the Cisco Applied Intelligence companion document for this advisory: http://tools.cisco.com/security/center/viewAMBAlert.x?alertId=24024
-
When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance.
Product
First Fixed Releases
Cisco MDS 9000 NX-OS Software
Releases prior to 5.x are affected. Releases 5.x and later are not affected. Migrate to 5.x or later.
Cisco Nexus 1000v Series
Releases prior to 4.2(1)SV1(5.1) are not affected. Migrate to 5.2(1)SV3(1.1) or later
Cisco TelePresence Video Communication Server
X7.0.2
Cisco CTS 500-32 Telepresence System Series
1.8.0
Cisco Video Surveillance Manager (VSM)
7.0(0.105) or later
Cisco Video Surveillance Operations Manager (VSOM)
7.0(0.105) or later
Management Center for Cisco Security Agent
5.2(0.312) in the 5.0 Release
6.0(2.151) in the 6.0 ReleaseCisco Wireless Control System (WCS)
7.0.220.0
Cisco Quad
2.5(1) Cisco Network Collector
6.3.2
Cisco Wide Area Application Services (WAAS) Software
4.4.3(a)
This section will be updated when more information is available.
-
This vulnerability was initially reported to the Full Disclosure mailing list at the following link: http://seclists.org/fulldisclosure/2011/Aug/175
Apache has confirmed that it is aware of exploitation of this vulnerability. Cisco is not aware of malicious exploitation of this vulnerability related specifically to Cisco products.
Proof-of-concept code is available for this vulnerability.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Revision 1.9 2014-November-20 Fixed information for Video Communication Server: fixed release is X7.0.2 instead of X7.0.1. Revision 1.8 2014-October-28 Added Nexus 1K as affected. Updated first fixed release information. Revision 1.7 2012-January-23 Updated the Software Versions and Fixes section. Revision 1.6
2011-September-13
Updated the Products Confirmed Not Vulnerable section.
Revision 1.5
2011-September-08
Updated Vulnerable Products and Software Versions and Fixes sections.
Revision 1.4
2011-September-06
Updated Vulnerable Products and Software Versions and Fixes sections.
Revision 1.3
2011-September-02
Updated Vulnerable Products and Software Versions and Fixes sections. Added Cisco Network Collector to Vulnerable Products section.
Revision 1.2
2011-September-01
Added Cisco Quad to Vulnerable Products section and revised Software Versions and Fixes section.
Revision 1.1
2011-August-31
Updated Vulnerable Products, Products Confirmed Not Vulnerable, and Details sections with additional information about vulnerable and unaffected products.
Revision 1.0
2011-August-30
Initial public release.
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.