CSCur27617: AnyConnect vulnerable to POODLE attack (CVE-2014-3566) Win/Mac/Linux Question
CSCur27617: AnyConnect vulnerable to POODLE attack (CVE-2014-3566) Win/Mac/Linux
I wanted to know if the AnyConnect Secure Mobility Client would still be vulnerable to this if it was only connecting via SSL VPN (TLS) to an ASA that already has the workaround implemented on it (Disable SSLv3)?
Thanks,
Rob Miele
Hi Rob ,
According to the bug:
All versions of desktop AnyConnect for Mac OS X and Linux prior to 3.1.00495 are vulnerable , so Anyconnect 3.1.06.073 is safe from POODLE vulnerability
On the Anyconnect you can disable the SSL using Ikev2 instead of the SSL protocols , however as the bug mention , the client creates a paralel ssl tunnel to get updates and profile from the router.
If you're asking to disable SSLv3 on the router , unfortunately there is not code yet , the workaround is to disable the webvpn or upgrade the VPN client.
As well here is the officil advisory for the POODLE vulnerbility on Cisco Products.
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141015-poodle
Hope it helps
- Randy -
Similar Messages
-
CSCur27617 - AnyConnect vulnerable to POODLE attack and40;CVE-2014-3566
Hello to all
In CSCur27617 ist stated:
Known Affected Releases:(1)3.1(5178)
We are currently deploying 3.0.4235-k9
Since this Vulnerability uses the SSL channel paralell to IPSec,
I expect that 3.0.4235-k9 ist affected also.
Ist this correct?
Thanks ErnieFirmware 1.05.36 of MyCloud Mirror fixed that: http://community.wd.com/t5/WD-My-Cloud-Mirror/New-Release-My-Cloud-Mirror-Firmware-Release-1-05-36-7-8-2015/td-p/886778
-
Is patch available for CVE-2014-3566?
Is patch available for CVE-2014-3566?
Update your OS X to the latest version plus any security updates.
Pete -
Mitigting SSL v3 POODLE Vulnerability (CVE-2014-3566)
Hi all,
Another day, another vulnerability. Feel like we are swimming against the tide.
Now, SSL v3 has been shown to be vulnerable (looks like a protocol issue, not an implementation issue, so patches are doubtful) and so I am looking at what we can do to mitigate this. Clients (such as IE, Firefox and Chrome (sort of)) can be set to disable SSL v3, but rolling this out across an Enterprise might not be that easy.
In IIS (that would be running TMS) you can switch off SSL v3 via a reg edit, but are there any knock on effect? What about the web services built into CODECs, MCUs and other infrastructure devices - can SSL v3 be switched off?
Look forward to the responses.
Cheers
ChrisHi All,
This tidbit is not Cisco orientated per se, but some of you might find it useful (if you haven't found the info yourselves already (it's what I sent around to my team here):
There are many things you can do to mitigate this vulnerability, as you can also disable SSL3 in various clients (although this might affect communication with legacy systems)
Firefox – Version 34 (due for release at the end of November) will disable SSL v3 by default, but they have released a plug in that can disable this immediately. See https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/
IE – You can turn off SSL 3 from the Settings -->Internet Options --> Advanced --> Security, section however, if you find that the options to check SSL/TLS are greyed out (as they are on my machine), this maybe a hang over from previous security software installation.
However, I will override this using GPO so domain joined PCs will have this setting updated. The GPO applied to the domain is:
Computer Setting --> Administrative Templates --> Windows Components --> Internet Explorer --> Internet Control Panel --> Advanced Page --> Turn Off Encryption Support = TLS 1.0, TLS 1.1, and TLS 1.2 ONLY
Chrome – This is a little more difficult. It seem you can only do this at this moment in time by adding a switch to the start-up command (you can modify the shortcut on either Windows or Mac). Check out https://zmap.io/sslv3/browsers.html -
OpenSSL SSL/TLS Man-In-The-Middle Injection Attack CVE-2014-0224
Can some help me to fix Open SSL Issue in Windows server 2008 R2 CVE-2014-0224 , Please advice
Hi,
From the description on Open SSL site, it is fixed in newer versions so could you update to the new version?
https://www.openssl.org/news/vulnerabilities.html
Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
CVE-2014-0224: 5th June 2014
An attacker can force the use of weak keying material in OpenSSL SSL/TLS clients and servers. This can be exploited by a Man-in-the-middle (MITM) attack where the attacker can decrypt and modify traffic from the attacked client and server. (original advisory).
Reported by KIKUCHI Masashi (Lepidum Co. Ltd.).
Fixed in OpenSSL 1.0.1h (Affected 1.0.1g, 1.0.1f, 1.0.1e, 1.0.1d, 1.0.1c, 1.0.1b, 1.0.1a, 1.0.1)
Fixed in OpenSSL 1.0.0m (Affected 1.0.0l, 1.0.0k, 1.0.0j, 1.0.0i, 1.0.0g, 1.0.0f, 1.0.0e, 1.0.0d, 1.0.0c, 1.0.0b, 1.0.0a, 1.0.0)
Fixed in OpenSSL 0.9.8za (Affected 0.9.8y, 0.9.8x, 0.9.8w, 0.9.8v, 0.9.8u, 0.9.8t, 0.9.8s, 0.9.8r, 0.9.8q, 0.9.8p, 0.9.8o, 0.9.8n, 0.9.8m, 0.9.8l, 0.9.8k, 0.9.8j, 0.9.8i, 0.9.8h, 0.9.8g, 0.9.8f, 0.9.8e, 0.9.8d, 0.9.8c, 0.9.8b, 0.9.8a, 0.9.8)
If you have any feedback on our support, please send to [email protected] -
Cisco is aware of the reported vulnerability and is currently investigating this report. Cisco is evaluating products to determine their exposure to this vulnerability.
Cisco has issued an official PSIRT notice for the SSL Padding Oracle On Downgraded Legacy Encryption (POODLE) Vulnerability
Please refer to the following information, as provided from our Product Security Incident Response Team (PSIRT):
SSL Padding Oracle On Downgraded Legacy Encryption (POODLE) Vulnerability
Complete information about reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco is available on Cisco.com at:
http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
This web page includes instructions for press inquiries regarding Cisco Security Advisories. All Cisco Security Advisories are available at:
http://www.cisco.com/go/psirtQuick-link to the PSIRT verified Email Security (ESA) vulnerability information as well as workaround:-
https://tools.cisco.com/bugsearch/bug/CSCur27131 -
BUG #CSCur27131 - Evaluation of CVE-2014-3566 on Cisco Email Security Appliance
I have raised a support case with TAC to try and get more information on the preferred config as well as what Ciphers then become available. Points raised in the support case are as follows:
Current config based from existing artilce pre-POODLE > MEDIUM:HIGH:-SSLv2:-aNULL:@STRENGTH
Should the new config be > MEDIUM:HIGH:-SSLv2:-SSLv3:-aNULL:@STRENGTH
Use of strength meaning that the Ciphers are ordered and presented strongest to weakest as negotiation should occur at the first mutually accepted cipher.
What are the TLSv1 Ciphers used by Ironport (verify under sslconfig CLI appears only to list SSL ciphers)
Finally, does the Ironport support or plan to support in the future TLSv1.1 and TLSv1.2 ciphers?
Response from TAC so far is the same as the referenced article - https://tools.cisco.com/bugsearch/bug/CSCur27131 which doesn't address all my points
PaulNegating SSLv2 and SSLv3 in the cipher suite has no effect as long as only enabled TLSv1 is enabled.
And reordering ciphers by strength won't bring anything since the client's ciphers order will always be preferred.
Also, MD5 should be disabled as it's widely considered too weak for the job.
My recommendation would be to use the following suite > HIGH:MEDIUM:!aNULL:!MD5 -
Bash vulnerability bash CVE-2014-6271 on Cisco devices
Hi, all,
Anybody know whether any Cisco devices are vulnerable to recent bash CVE-2014-6271? I am especially concerned about ASA which opens https to the public.
Thanks,Have a look here:
http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_Bash_09252014.html
and here:
http://tools.cisco.com/security/center/mcontent/CiscoSecurityAdvisory/cisco-sa-20140926-bash
Under affected products. -
CVE-2014-6271 and CVE-2014-7169 / Oracle Linux
Hi ,
patches required to resolve the vulnerabilities described in CVE-2014-6271 and CVE-2014-7169 in Oracle linux 5 (x86) is "bash-3.2-33.el5_11.4.x86_64.rpm "
from where i can get this patch, its not availible on support.oracle/patches !!
Thanks,
ThamerYour Oracle Linux system should be configured to automatically install packages either from the Unbreakable Linux Network or public-yum.oracle.com. You might want to ask your Linux sysadmin for assistance if your servers aren't already configured for updates.
You can also check Chapter 1 and Chapter 2 of the Oracle Linux Administrator's Guide for more details on using ULN or public-yum: Oracle® Linux (it's for OL6 but the concepts are the same for OL5). -
Schannel and TLS 1.x padding vulnerability (CVE-2014-8730)
Hi all,
Is the implementation of TLS by Microsoft Secure Channel (Schannel) (http://msdn.microsoft.com/en-us/library/windows/desktop/aa380123%28v=vs.85%29.aspx) affected by "CVE-2014-8730 TLS 1.x padding vulnerability"?
Please see the following links for more details about this vulnerability:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8730
https://community.qualys.com/blogs/securitylabs/2014/12/08/poodle-bites-tls
Is there a confirmation from Microsoft that Schannel is not affected by this vulnerability?
Regards,
SanjayNo, Microsoft SChannell is not affected.Only F5 products are affected:
http://www.securityfocus.com/bid/71549
Vadims Podāns, aka PowerShell CryptoGuy
My weblog: en-us.sysadmins.lv
PowerShell PKI Module: pspki.codeplex.com
PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
Check out new: SSL Certificate Verifier
Check out new:
PowerShell File Checksum Integrity Verifier tool.
i know some Windows 2008 System which are affected?! Why? -
Bash CVE-2014-6271 Vulnerability
Excuse me if this was already posted. I searched title's only for bash and 6271 and didn't see any results.
Cut and paste from CVE-2014-6271 Bash vulnerability allows remote execution arbitrary code:
This morning a flaw was found in Bash with the way it evaluated certain environment variables. Basically an attacker could use this flaw to override or bypass environment restrictions to execute shell commands. As a result various services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue.
Details on CVE-2014-6271 from the MITRE CVE dictionary and NIST NVD (page pending creation).
I’m currently patching servers for this. The issue affects ALL products which use Bash shell and parse values of environment variables. This issue is especially dangerous as there are many possible ways Bash can be called by applications. Quite often if an application executes another binary, Bash is invoked to accomplish this. Because of the pervasive use of the Bash shell, this issue is quite serious and should be treated as such!
To test if your version of Bash is vulnerable run the following command:
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
If that command returns the following:
vulnerable this is a test
…then you are using a vulnerable version of Bash and should patch immediately. The patch used to fix this issue ensures that no code is allowed after the end of a Bash function. Thus, if you run the above example with the patched version of Bash, you should get an output similar to:
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test
Arch Linux CVE-2014-6271 patch:
pacman -Syu
Last edited by hydn (2014-09-28 20:57:41)On a related note. I post this here as it might be of interest to some members....
I just checked my DD-WRT based router for this vulnerability. It comes stock with Busybox and does not seem to be vulnerable, but... I keep bash on a separate partition which gets mounted on /opt. That bash is vulnerable. Until the DD-WRT project catches up, I suggest anyone using that router firmware consider disabling Bash for the time being and stick with BB.
Also, as another aside, ArchArm has this fix in place now and is safely running on my Raspberry Pi.
I did kill the ssh service on the Windows Box that let me into bash via Cygwin. Cygwin Bash is vulnerable as of when I began this post.
Last edited by ewaller (2014-09-25 18:26:18) -
Windows Server 2008 CVE-2014-8730 vulnerability
We've received our monthly vulnerability scan results on our production servers running Windows Server 2008 R2.
They are showing vulnerability to TSL POODLE, which is the subject of CVE-2014-8730.
In this article on Qualys, there is mention that Windows Server 2008 is vulnerable but Microsoft have not taken any action yet:
https://community.qualys.com/blogs/securitylabs/2014/12/08/poodle-bites-tls
Microsoft - We've seen reports that some older platforms (e.g., Windows 2008) appear vulnerable, but no apparent patterns or reliable information so far.
Is there any update on this issue as it's an exploitable vulnerability we would like to remediate.
Thanks,
Lyndon.Hi Vivian,
The article cited is about a different issue.
In October 2014 there was an SSL v3 POODLE vulnerability, we have resolved this issue by disabling SSL v3 (as recommended).
The article your posted specifically references that issue (the article was published in October 2014).
In December 2014 there was another POODLE vulnerability announced that affected the TLS protocol.
A lot of major vendors have published patches for this issue, but Microsoft are yet do do so (as far as I know).
Hence by original question that has not been answered yet.
Regards,
Lyndon. -
CSCuq79267 - UCS Apache 2.2 Vulnerability CVE-2014-0118
I too am seeing this same behavior. Nessus has found this, and 3 other, vulnerabilities with the Apache version provided by the UCS platform.
Any fixes in the works? We are currently running firmware 2.2(3c). The release notes for 2.2(3d) and 2.2(3e) do not address CVE-2014-0118.
EDIT:
2.2(3f) also does not address these vulnerabilities. Does the UCS version of Apache use the modules that are found faulty according to Nessus?
Nessus is also reporting the following CVEs related to this one: CVE-2013-6438, CVE-2014-0098, CVE-2013-5704, CVE-2014-0226, and CVE-2014-0231.Hi,
Please refer this links,
Linux GHOST vulnerability (CVE-2015-0235) is not as scary as it looks | Symantec Connect
https://rhn.redhat.com/errata/RHSA-2015-0090.html
Regards,
S27 -
OpenSSL vulnerability CVE-2014-0224
My customer want to know whether ASE is affected by the following OpenSSL vulnerability in http://www.openssl.org/news/secadv_20140605.txt
SSL/TLS MITM vulnerability (CVE-2014-0224),
DTLS recursion flaw (CVE-2014-0221)
DTLS invalid fragment vulnerability (CVE-2014-0195)
SSL_MODE_RELEASE_BUFFERS NULL pointer dereference (CVE-2014-0198)
SSL_MODE_RELEASE_BUFFERS session injection or denial of service (CVE-2010-5298)
Anonymous ECDH denial of service (CVE-2014-3470)
Can you help me to confirm the above question?You have clearly double posted this question in two groups.
So the first question goes back to you.
Are you Running SAP Applications on ASE, if so this is not the proper group? -
[CVE-2014-6271] IronPort appliances affected by recent bash vulnerability?
http://threatpost.com/major-bash-vulnerability-affects-linux-unix-mac-os-x
Discussion?Cisco has issued an official PSIRT notice for the GNU Bash Environmental Variable Command Injection Vulnerability (CVE-2014-6271), please refer all inquiries to:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash
Please refer to the expanded "Affected Products".
The following Cisco products are currently under investigation:
Cable Modems
Cisco CWMS
Network Application, Service, and Acceleration
Cisco ACE GSS 4400 Series Global Site Selector
Cisco ASA
Cisco GSS 4492R Global Site Selector
Network and Content Security Devices
Cisco IronPort Encryption Appliance
Cisco Ironport WSA
Routing and Switching - Enterprise and Service Provider
Cisco ACE Application Control Engine Module for the Cisco Catalyst 6500
Cisco ISM
Cisco NCS6000
Voice and Unified Communications Devices
Cisco Finesse
Cisco MediaSense
Cisco SocialMiner
Cisco Unified Contact Center Express (UCCX)
Products and services listed in the subsections below have had their exposure to this vulnerability confirmed. Additional products will be added to these sections as the investigation continues.
Maybe you are looking for
-
I have data that is in basic generic text file format that needs to be converted into Excel spreadsheet format. The data is much longer than 65536 lines, and in my code I haven't been able to figure out how to carry over the data into the next colum
-
Since upgrading to Mountain Lion my computer crashes almost every night
In the morning I have to push the power button even though the sleep is set to never. It turns out that sometimes during the night and actually usually very close to the morning after there was a kernel panic. panic(cpu 0 caller 0xffffff801bc88aac):
-
For (k=0; k fontN.length; k++){
There are 6 buttons and If this code is the only code in the fla why isn't the trace showing results? How can I make trace (fontN[k]) show which button I clicked?? var fontN:Array = [Tx_btn1, Tx_btn2, Tx_btn3, Tx_btn4, Tx_btn5, Tx_btn6]; //buttons va
-
Sims 3 been crashing since 10.7.5 update.
My Sims 3 game has always ran very well on my MacBook Pro, but since i updated to 10.7.5 it keeps crashing as it loads. I've done all the troubleshooting things suggested from EA with no success and i feel like it must be related to the update. If an
-
Motion 3.0.2 Keep crashing on Macbook Pro and Mac Pro without any reasons.
We have a Mac Pro with FCS 2 and I have a Macbook Pro with FCS 2 installed too. Motion 3.0.2 keep crashing on both machine, and the frequency of crashing in the Macbook Pro is much higher and unpredictable. I have done a clean installation of OSX Leo