Cisco Cisco IOS Software Release 12.2(35)SE
14
Release Notes for the Cisco ME 3400 Ethernet Access Switch, Cisco IOS Release 12.2(37)SE and Later
OL-12617-02
Resolved Caveats
Resolved Caveats
These sections describe the caveats that have been resolved in these releases:
•
•
Caveats Resolved in Cisco IOS Release 12.2(37)SE1
These caveats are resolved in Cisco IOS Release 12.2(37)SE1:
•
CSCsc19259
The server side of the Secure Copy (SCP) implementation in Cisco IOS contains a vulnerability that
allows any valid user, regardless of privilege level, to transfer files to and from an IOS device that
is configured to be a Secure Copy server. This vulnerability could allow valid users to retrieve or
write to any file on the device’s filesystem, including the device’s saved configuration. This
configuration file may include passwords or other sensitive information.
allows any valid user, regardless of privilege level, to transfer files to and from an IOS device that
is configured to be a Secure Copy server. This vulnerability could allow valid users to retrieve or
write to any file on the device’s filesystem, including the device’s saved configuration. This
configuration file may include passwords or other sensitive information.
The Cisco IOS Secure Copy Server is an optional service that is disabled by default. Devices that
are not specifically configured to enable the Cisco IOS Secure Copy Server service are not affected
by this vulnerability.
are not specifically configured to enable the Cisco IOS Secure Copy Server service are not affected
by this vulnerability.
This vulnerability does not apply to the Cisco IOS Secure Copy Client feature.
This advisory is posted at
.
•
CSCsj13619
The SCP (Secure Copy Protocol) support is now correctly included in the image. The show file
systems and copy privileged EXEC commands now correctly show scp as an option.
systems and copy privileged EXEC commands now correctly show scp as an option.
•
CSCsj19641
The switch no longer drops ARP packets destined to MAC addresses that are close to the MAC
address block of the switch.
address block of the switch.
Caveats Resolved in Cisco IOS Release 12.2(37)SE
These caveats are resolved in Cisco IOS Release 12.2(37)SE:
•
CSCsb12598
Cisco IOS device may crash while processing malformed Secure Sockets Layer (SSL) packets. In
order to trigger these vulnerabilities, a malicious client must send malformed packets during the SSL
protocol exchange with the vulnerable device.
order to trigger these vulnerabilities, a malicious client must send malformed packets during the SSL
protocol exchange with the vulnerable device.
Successful repeated exploitation of any of these vulnerabilities may lead to a sustained
Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the
confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow
an attacker will not be able to decrypt any previously encrypted information.
Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the
confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow
an attacker will not be able to decrypt any previously encrypted information.
Cisco IOS is affected by the following vulnerabilities:
–
Processing ClientHello messages, documented as Cisco bug ID CSCsb12598
–
Processing ChangeCipherSpec messages, documented as Cisco bug ID CSCsb40304