COMMAND

    Cisco

SYSTEMS AFFECTED

    Catalyst 6000, 5000, 4000 images with SSH support.  Version 6.1(1)
    6.1(1a), 6.1(1b) with 3 Data Encryption Standard (DES) features only

PROBLEM

    Following is based on a  Cisco Security Notice.  Non-Secure  Shell
    (SSH) connection  attempts to  an enabled  SSH service  on a Cisco
    Catalyst  6000,  5000,  or  4000  switch  might  cause a "protocol
    mismatch" error, resulting  in a supervisor  engine failure.   The
    supervisor  engine  failure  causes  the  switch  to  fail to pass
    traffic and reboots the switch.

    Only the following images are affected:

        cat4000-k9.6-1-1.bin
        cat5000-sup3cvk9.6-1-1a.bin
        cat5000-sup3k9.6-1-1.bin
        cat5000-supgk9.6-1-1.bin
        cat6000-sup2cvk9.6-1-1b.bin
        cat6000-sup2k9.6-1-1b.bin
        cat6000-supcvk9.6-1-1b.bin
        cat6000-supk9.6-1-1b.bin

    Cisco  IOS  12.1  SSH  implementation  is  not  affected  by  this
    vulnerability.  No other Cisco devices are affected.

    Non SSH protocol  connection attempts to  the SSH service  cause a
    "protocol mismatch" error, which causes  a switch to reload.   SSH
    is  not  enabled  by  default,  and  must  be  configured  by  the
    administrator.

    To  verify  if  your  image  is  affected,  run  the command "show
    version".   If the  image filename  is listed  above, and you have
    enabled SSH,  you are  affected by  this vulnerability  and should
    upgrade  to  a  fixed  version  immediately.   This  vulnerability
    enables a Denial of Service attack on the Catalyst switch.

SOLUTION

    This  problem  is  resolved  in  release  6.1(1c).   Due to a very
    limited number of customer  downloads, Cisco has chosen  to notify
    affected  customers   directly.   This   vulnerability  has   been
    assigned Cisco bug ID CSCds85763.  The full text of this  advisory
    can be viewed at:

        http://www.cisco.com/warp/public/707/catalyst-ssh-protocolmismatch-pub.shtml.

    The workaround for this  vulnerability is to disable  SSH service.
    For most customers using this image, SSH support is necessary,  so
    the recommended action is to upgrade to a fixed version.