CSCur27551 - SSLv3 Poodle attack against https in wlc, CVE-2014??-3566 - 1

Similar Messages

• CSCur27617: AnyConnect vulnerable to POODLE attack (CVE-2014-3566) Win/Mac/Linux Question

  CSCur27617: AnyConnect vulnerable to POODLE attack (CVE-2014-3566) Win/Mac/Linux
  I wanted to know if the AnyConnect Secure Mobility Client would still be vulnerable to this if it was only connecting via SSL VPN (TLS) to an ASA that already has the workaround implemented on it (Disable SSLv3)?
  Thanks,
  Rob Miele

  Hi Rob , 
  According to the bug: 
  All versions of desktop AnyConnect for Mac OS X and Linux prior to 3.1.00495 are vulnerable , so Anyconnect 3.1.06.073 is safe from POODLE vulnerability 
  On the Anyconnect you can disable the SSL using Ikev2 instead of the SSL protocols , however as the bug mention , the client creates a paralel ssl tunnel to get updates and profile from the router.
  If you're asking to disable SSLv3 on the router , unfortunately there is not code yet , the workaround is to disable the webvpn or upgrade the VPN client.
  As well here is the officil advisory for the POODLE vulnerbility on Cisco Products.
  http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141015-poodle
  Hope it helps
  - Randy - 

• Mitigting SSL v3 POODLE Vulnerability (CVE-2014-3566)

  Hi all,
  Another day, another vulnerability. Feel like we are swimming against the tide.
  Now, SSL v3 has been shown to be vulnerable (looks like a protocol issue, not an implementation issue, so patches are doubtful) and so I am looking at what we can do to mitigate this. Clients (such as IE, Firefox and Chrome (sort of)) can be set to disable SSL v3, but rolling this out across an Enterprise might not be that easy.
  In IIS (that would be running TMS) you can switch off SSL v3 via a reg edit, but are there any knock on effect? What about the web services built into CODECs, MCUs and other infrastructure devices - can SSL v3 be switched off?
  Look forward to the responses.
  Cheers
  Chris

  Hi All,
  This tidbit is not Cisco orientated per se, but some of you might find it useful (if you haven't found the info yourselves already (it's what I sent around to my team here):
  There are many things you can do to mitigate this vulnerability, as you can also disable SSL3 in various clients (although this might affect communication with legacy systems)
  Firefox – Version 34 (due for release at the end of November) will disable SSL v3 by default, but they have released a plug in that can disable this immediately. See https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/
  IE – You can turn off SSL 3 from the Settings -->Internet Options --> Advanced --> Security, section however, if you find that the options to check SSL/TLS are greyed out (as they are on my machine), this maybe a hang over from previous security software installation.
  However, I will override this using GPO so domain joined PCs will have this setting updated. The GPO applied to the domain is:
  Computer Setting --> Administrative Templates --> Windows Components --> Internet Explorer --> Internet Control Panel --> Advanced Page --> Turn Off Encryption Support = TLS 1.0, TLS 1.1, and TLS 1.2 ONLY
  Chrome – This is a little more difficult. It seem you can only do this at this moment in time by adding a switch to the start-up command (you can modify the shortcut on either Windows or Mac). Check out https://zmap.io/sslv3/browsers.html

• CSCur27617 - AnyConnect vulnerable to POODLE attack and40;CVE-2014-3566

  Hello to all
  In CSCur27617 ist stated:
  Known Affected Releases:(1)3.1(5178)
  We are currently deploying 3.0.4235-k9
  Since this Vulnerability uses the SSL channel paralell to IPSec,
  I expect that 3.0.4235-k9 ist affected also.
  Ist this correct?
  Thanks Ernie

  Firmware 1.05.36 of MyCloud Mirror fixed that: http://community.wd.com/t5/WD-My-Cloud-Mirror/New-Release-My-Cloud-Mirror-Firmware-Release-1-05-36-7-8-2015/td-p/886778

• [CVE-2014-3566] SSL Padding Oracle On Downgraded Legacy Encryption (POODLE) Vulnerability

  Cisco is aware of the reported vulnerability and is currently investigating this report.  Cisco is evaluating products to determine their exposure to this vulnerability.
  Cisco has issued an official PSIRT notice for the SSL Padding Oracle On Downgraded Legacy Encryption (POODLE) Vulnerability
  Please refer to the following information, as provided from our Product Security Incident Response Team (PSIRT):
  SSL Padding Oracle On Downgraded Legacy Encryption (POODLE) Vulnerability
  Complete information about reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco is available on Cisco.com at:
  http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html 
  This web page includes instructions for press inquiries regarding Cisco Security Advisories. All Cisco Security Advisories are available at:
  http://www.cisco.com/go/psirt

  Quick-link to the PSIRT verified Email Security (ESA) vulnerability information as well as workaround:-
  https://tools.cisco.com/bugsearch/bug/CSCur27131

• How do I disable SSLV3 in Oracle HTTP SERVER to prevent POODLE attacks?

  How do I disable SSLV3 in Oracle HTTP SERVER to prevent POODLE attacks?
  I see the line in the ssl.conf file:
  SSLCipherSuite SSL_RSA_WITH_RC4_128_MD5:SSL_RSA_WITH_RC4_128_SHA:SSL_RSA_WITH_3DES_EDE_CBC_SHA:SSL_RSA_WITH_DES_CBC_SHA:SSL_RSA_EXPORT_WITH_RC4_40_MD5:SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
  but I'm not sure which ciphers are SSLV3.
  Thanks,
  Andy

  Hi Andy,
  For this, we highly recommend you to open a SR with Oracle support and Security team would be assisting you on how to get this fixed.
  Thanks,
  Sharmela

• Sslv3 poodle vulnerability and sharepoint site using https

  Hi
  Is it safe  to run IIS crypto tool and choose
  'FIPS 140-2'  on Sharepoint WFe
  We have one web application accessible to users using HTTPS with a  valid  SSL from CA.

  FIPS 140-2 is not supported by SharePoint and enforcing it will break SharePoint.
  Instead, disable SSLv3 support in IIS.
  https://www.digicert.com/ssl-support/iis-disabling-ssl-v3.htm
  https://support.microsoft.com/kb/187498/
  Trevor Seward
  Follow or contact me at...
  &nbsp&nbsp
  This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

• Using enumeration SecurityProtocolType.Tls to bypass the poodle attack

  Premis: Our application is built using C# .NET 3.5 and it uses a couple of HttpWebRequest to access online resources.
  Issue: The poodle attack risk
  Description: We want to completely avoid the Poodle attack and would like to force the use of TLS in our application. Would the following statement suffice to force it to do TLS for all HTTP requests "ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls;".
  With such a setting will the connection to servers communicating with handshake using TLSv1.1 or TLSv1.2 also work.
  We do see that in the latest .NETv4.5 the enumeration "SecurityProtocolType.Tls" is extended (with Tls11 and Tls12). We do not want to re-compile the application on the latest .NET framework considering the vast customer base and other associated
  migration jargon. Please help how to overcome this issue.

  I'd probably try them over here.
  http://forums.asp.net/37.aspx/1?C+
  Regards, Dave Patrick ....
  Microsoft Certified Professional
  Microsoft MVP [Windows]
  Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

• SSLv3 Poodle vulnerability

  Does anyone have any more info on the SSLv3 Poodle vulnerability in that are any of the Cisco switches, in particular the ACE load balancer (If they do SSL offloading) vulnerable to this?
  http://www.wired.com/2014/10/poodle-explained/
  If so, if there a way to disable SSLv3?

  To disable SSLv3, do something like this:
  parameter-map type ssl PARAMMAP_SSL
    cipher RSA_WITH_3DES_EDE_CBC_SHA
    cipher RSA_WITH_AES_128_CBC_SHA priority 2
    cipher RSA_WITH_AES_256_CBC_SHA priority 3
    version TLS1
  ssl-proxy service SSL_PSERVICE_SERVER
    ssl advanced-options PARAMMAP_SSL
  (Omitted all the other important, but not to this exact solution, stuff in the ssl-proxy config)

• OpenSSL SSL/TLS Man-In-The-Middle Injection Attack CVE-2014-0224

  Can some help me to fix Open SSL Issue in Windows server 2008 R2 CVE-2014-0224 , Please advice

  Hi,
  From the description on Open SSL site, it is fixed in newer versions so could you update to the new version?
  https://www.openssl.org/news/vulnerabilities.html
  Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
  CVE-2014-0224: 5th June 2014
  An attacker can force the use of weak keying material in OpenSSL SSL/TLS clients and servers. This can be exploited by a Man-in-the-middle (MITM) attack where the attacker can decrypt and modify traffic from the attacked client and server. (original advisory).
  Reported by KIKUCHI Masashi (Lepidum Co. Ltd.).
  Fixed in OpenSSL 1.0.1h (Affected 1.0.1g, 1.0.1f, 1.0.1e, 1.0.1d, 1.0.1c, 1.0.1b, 1.0.1a, 1.0.1)
  Fixed in OpenSSL 1.0.0m (Affected 1.0.0l, 1.0.0k, 1.0.0j, 1.0.0i, 1.0.0g, 1.0.0f, 1.0.0e, 1.0.0d, 1.0.0c, 1.0.0b, 1.0.0a, 1.0.0)
  Fixed in OpenSSL 0.9.8za (Affected 0.9.8y, 0.9.8x, 0.9.8w, 0.9.8v, 0.9.8u, 0.9.8t, 0.9.8s, 0.9.8r, 0.9.8q, 0.9.8p, 0.9.8o, 0.9.8n, 0.9.8m, 0.9.8l, 0.9.8k, 0.9.8j, 0.9.8i, 0.9.8h, 0.9.8g, 0.9.8f, 0.9.8e, 0.9.8d, 0.9.8c, 0.9.8b, 0.9.8a, 0.9.8)
  If you have any feedback on our support, please send to [email protected]

• SSLV3 poodle on WLC 2100

  Hi everyone,
  Seems as per cisco all WLC --5500/2100 etc are effected by sslv3.
  Need to know if there is any config change that can be done without doing version upgrade?
  Regrads
  Mahesh

  If you do not want users to connect to a web page using a browser that is configured with SSLv2 only, you can disable SSLv2 for web authentication by entering the config network secureweb cipher-option sslv2 disable command. If you enter this command, users must use a browser that is configured to use a more secure protocol such as SSLv3 or later releases. The default value is disabled.

• Web Authentication on HTTP Instead of HTTPS in WLC 5700 and WS-C3650-48PD (IOS XE)

  Hello,
  I have configured a Guest SSID with web authentication (captive portal).
  wlan XXXXXXX 2 Guest
   aaa-override
   client vlan YYYYYYYYY
   no exclusionlist
   ip access-group ACL-Usuarios-WIFI
   ip flow monitor wireless-avc-basic input
   ip flow monitor wireless-avc-basic output
   mobility anchor 10.181.8.219
   no security wpa
   no security wpa akm dot1x
   no security wpa wpa2
   no security wpa wpa2 ciphers aes
   security web-auth
   security web-auth parameter-map global
   session-timeout 65535
   no shutdown
  The configuration of webauth parameter map  is :
  service-template webauth-global-inactive
   inactivity-timer 3600 
  service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
   voice vlan
  parameter-map type webauth global
   type webauth
   virtual-ip ipv4 1.1.1.1
   redirect on-success http://www.google.es
  I need to  login on web authentication on HTTP instead of HTTPS.
  If I  login on HTTP, I will not receive certificate alerts that prevent the users connections.
  I saw how to configure it with 7.x relesae but I have IOS XE Version 03.03.05SE and I don´t know how to configure it.
  Web Authentication on HTTP Instead of HTTPS
  You can login on web authentication on HTTP instead of HTTPS. If you login on HTTP, you do not receive certificate alerts.
  For earlier than WLC Release 7.2 code, you must disable HTTPS management of the WLC and leave HTTP management. However, this only allows the web management of the WLC over HTTP.
  For WLC Release 7.2 code, use the config network web-auth secureweb disable command to disable. This only disables HTTPS for the web authentication and not the management. Note that this requires a reboot of the controller !
  On WLC Release 7.3 and later code, you can enable/disable HTTPS for WebAuth only via GUI and CLI.
  Can anyone tell me how to configure web authentication on HTTP instead of HTTPS with IOS XE?
  Thanks in advance.
  Regards.

  The documentation doesn't provide very clear direction, does it?
  To download the WLC's default webauth page, browse to the controller's Security > Web Login Page. Make sure the web authentication type is Internal (Default). Hit the Preview button. Then use your browser's File > Save As... menu item to save the HTML into a file. Edit this to your liking and bundle it and any graphics images up into a TAR archive, then upload via the controller's COMMAND page.

• Http profiling wlc 7.3

  Hi,
  Did anyone use the HTTP PROFILING in WLC 7.3 ?
  I am using it with ISE and it is sending weird user-agent strings for iDevices
  example for an iPAD:
  User-Agent
  $%7BPRODUCT_NAME%7D/1 CFNetwork/548.1.4 Darwin/11.0.0
  That's one
  An iPone:
  User-Agent
  Fidelity/1.8.3851 CFNetwork/548.1.4 Darwin/11.0.0
  An iPhone:
  Viber/2.2.1.207 CFNetwork/548.1.4 Darwin/11.0.0 
  This one looks like is sending wat apps are accessing http protocol or something= it doesn't say iPhone

  I don't know about Nexus, on the ipad under Administration - Identities - Endpoints, find that iPad and see if there is a User-Agent attribute.
  I have tried with iphones and windows7 machine, but anyways i see this iPad on my ISE it has been profiles cuz of the hostname but I also see a weird user agents info:
  User-Agent
  $%7BPRODUCT_NAME%7D/1 CFNetwork/548.1.4 Darwin/11.0.0
  I will have to do a research and see whats goin on, but anyway try connecting and browsing for a second and then see if you get that user agent attribute.
  Seems like WLC sends interesting stuff
  here is one for one of the iPhones
  User-Agent
  Fidelity/1.8.3851 CFNetwork/548.1.4 Darwin/11.0.0
  LoL

• MeetingPlace 7.1 SSLv3/Poodle Vulnerablilty

  Hello, Support Community,
  We have MeetingPlace 7.1 on an MCS server.  The server is running the Cisco IOS Image 2003.1.51 and Service Release 25.  This is our conference server located in our DMZ for outside conferencing. 
  I have read the notice at https://tools.cisco.com/bugsearch/bug/CSCur33354/?referring_site=bugquickviewclick. 
  It appears that upgrading is the best option, however  we are looking for a short term security option if one is available as we are  going to be getting ready to upgrade to WebEx in a few months.
  Is there anything else that can be enabled differently, or disabled to secure the server and still provide service to our clients that are coming in for web conferencing from the outside.
  Many thanks in advance for the help!
  Peggy

  Tried this on one of my 4260's and are most recent vulnerability scan is still picking up the IPS as vulnerable to POODLE.
  Given that the IPS is technically supported until 2018, I'm having a hard time convincing the business that they need to upgrade it just yet.
  Was there anything else you needed to do other than what was documented in the link?

• SSLv3 POODLE on v7.1 IPS

  CSCur29000 states "No release planned to fix this bug."  I understand that this is covered with version 7.3(2), which I have running on one of my 5512-X firewalls.  But what about the SSM-10's that only run the 7.1 series?  7.1(9) was just released which finally fixes the OpenSSL heartbleed issue from June.  It doesn't appear to fix this issue.  When can we expect to get this fixed on a currently supported product?
  Thanks,
  Mike

  Tried this on one of my 4260's and are most recent vulnerability scan is still picking up the IPS as vulnerable to POODLE.
  Given that the IPS is technically supported until 2018, I'm having a hard time convincing the business that they need to upgrade it just yet.
  Was there anything else you needed to do other than what was documented in the link?