Launching soon: The world's first vendor agnostic bug scrubLearn more & join waitlist
OPERATIONAL DEFECT DATABASE
...
...
Cisco IOS includes a version of TLS that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2014-8730 This vulnerability is hardware dependent.
Cisco IOS is affected if the following conditions are verified: 1- The device is configured with AnyConnect or Clientless SSL VPN feature 2- The onboard engine is used for crypto operations (* see note below) To verify whether SSL VPN is configured use the ''show webvpn gateway brief'' and verify that the gateway is up. The following example shows a system with the SSL VPN gateway called TEST: router#show webvpn gateway brief Gateway Name Admin Operation ------------ ----- --------- TEST up up To verify whether the onboard crypto engine is enabled, use the ''show crypto eli s'' command and verify that the Onboard VPN section is present. The following example shows a system configured for onboard. router#show crypto eli s Onboard VPN Count msec Create IPSec SA (by keys) 35608 0.0 Delete IPSec SA 35606 0.0 Set IPSec MTU 17805 0.0 Pull flow statistics 12617 0.0 Pull sadb-ivrf statistics 12617 0.0 Modular Exponentiation 4069403 9.1 SSL Create 115136 0.0 SSL Delete 115136 0.0 [...] *Note:Cisco IOS running on 3925E and 3945E is vulnerable only if the onboard engine is used for SSL VPN. This can be verified by using the show running-config | include ssl fair and verifying that it returns output. The following Cisco IOS HW Models that support IOS SSL VPN are affected: 8xx 1921 1941 2901 2911 2921 2951 3925 3945 3925E 3945E 1800 - only if running AIM-VPN/SSL (see CSCus94884) 2800 - only if running AIM-VPN/SSL (see CSCus94884) 3800 - only if running AIM-VPN/SSL (see CSCus94884) All versions of Cisco IOS Software running on an affected HW model are affected by this vulnerability. The following HW models are not affected: 7200 7300 Cisco routers running Cisco IOS-XE Software are not affected by this vulnerability.
For the 3900e platforms is possible to disable the Onboard engine for SSL VPN only. The following example shows how to disable the onboard engine for SSL VPN on 3900e platforms router(config)#no crypto engine accelerator bandwidth-allocation ssl fair For all the other affected platforms, disabling the onboard engine will disable hardware accelerator for any feature. This include SSL VPN and IPSEC VPN. Customers carefully evaluate this option. The following example shows how to disable the onboard engine: router(config)#no crypto engine onboard 0
Additional details about the vulnerability listed above can be found at http://cve.mitre.org/cve/cve.html Cisco has published the following Security Notice and IntelliShield Alert: http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-8730 http://tools.cisco.com/security/center/viewAlert.x?alertId=36740 PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/4.1: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:M/Au:N/C:P/I:N/A:N/E:F/RL:U/RC:C&version=2.0 CVE ID CVE-2014-8730 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html