CVE-2014-0224
Hi Everyone,
We have multiple switches being found that have this vulnerability CVE-2014-0224 known as OpenSSL Change CipherSpec Vulnerability. This affects our CATALYST 3750v2 switches is there any mitigations or workaround on this vulnerability other than upgrading its IOS.
Thank you
Sherwin
Firstly, I think you've posted this in the wrong section of the forums (TelePresence).
But, if you read the notices in detail, and especially the ones for each specific product, they will usually let you know a workaround if there is one.
For some of these vulnerabilities mentioned, you need to have physical access to the box, so making sure they're in a secured location is a good first step.
Similar Messages
-
OpenSSL SSL/TLS Man-In-The-Middle Injection Attack CVE-2014-0224
Can some help me to fix Open SSL Issue in Windows server 2008 R2 CVE-2014-0224 , Please advice
Hi,
From the description on Open SSL site, it is fixed in newer versions so could you update to the new version?
https://www.openssl.org/news/vulnerabilities.html
Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
CVE-2014-0224: 5th June 2014
An attacker can force the use of weak keying material in OpenSSL SSL/TLS clients and servers. This can be exploited by a Man-in-the-middle (MITM) attack where the attacker can decrypt and modify traffic from the attacked client and server. (original advisory).
Reported by KIKUCHI Masashi (Lepidum Co. Ltd.).
Fixed in OpenSSL 1.0.1h (Affected 1.0.1g, 1.0.1f, 1.0.1e, 1.0.1d, 1.0.1c, 1.0.1b, 1.0.1a, 1.0.1)
Fixed in OpenSSL 1.0.0m (Affected 1.0.0l, 1.0.0k, 1.0.0j, 1.0.0i, 1.0.0g, 1.0.0f, 1.0.0e, 1.0.0d, 1.0.0c, 1.0.0b, 1.0.0a, 1.0.0)
Fixed in OpenSSL 0.9.8za (Affected 0.9.8y, 0.9.8x, 0.9.8w, 0.9.8v, 0.9.8u, 0.9.8t, 0.9.8s, 0.9.8r, 0.9.8q, 0.9.8p, 0.9.8o, 0.9.8n, 0.9.8m, 0.9.8l, 0.9.8k, 0.9.8j, 0.9.8i, 0.9.8h, 0.9.8g, 0.9.8f, 0.9.8e, 0.9.8d, 0.9.8c, 0.9.8b, 0.9.8a, 0.9.8)
If you have any feedback on our support, please send to [email protected] -
OpenSSL vulnerability CVE-2014-0224
My customer want to know whether ASE is affected by the following OpenSSL vulnerability in http://www.openssl.org/news/secadv_20140605.txt
SSL/TLS MITM vulnerability (CVE-2014-0224),
DTLS recursion flaw (CVE-2014-0221)
DTLS invalid fragment vulnerability (CVE-2014-0195)
SSL_MODE_RELEASE_BUFFERS NULL pointer dereference (CVE-2014-0198)
SSL_MODE_RELEASE_BUFFERS session injection or denial of service (CVE-2010-5298)
Anonymous ECDH denial of service (CVE-2014-3470)
Can you help me to confirm the above question?You have clearly double posted this question in two groups.
So the first question goes back to you.
Are you Running SAP Applications on ASE, if so this is not the proper group? -
High Risk on DMP 4400 and 4310 "OpenSSL MITM CVE-2014-0224"
I cannot find a patch to fix the problem - is there a fix or should I create a TAC case?
DMM version - 5.3.0
4310 and 4400 - version 5.4.1Here is what I received for the Dell Response to Openssl vulnerability.
After a couple of calls to technical support here is what I'm getting for my iDRAC7 getting flagged by Foundstone security scans for the vulnerability CVE-2014-0224:
" The OPEN SSL package used here contains multiple components, the component that is impacted and vulnerable is not being used, other components in this package are being used but aren't vulnerable".
"Dell has determined that the products listed in the attached document are not affected by the vulnerabilities. Some products have leveraged an older (but not vulnerable) OpenSSL module. These could be flagged by a scanner. Dell is currently working on updating the modules to a version that will not be flagged for these issues".
I've also attempted to upload the document, hopefully it can be viewed or downloaded.
If this post has helped you please rate it.
Thanks
2376.Dell-ResponseOpenSSLSecurityAdvisory_05_June_2014_final.pdf -
CSCuq79267 - UCS Apache 2.2 Vulnerability CVE-2014-0118
I too am seeing this same behavior. Nessus has found this, and 3 other, vulnerabilities with the Apache version provided by the UCS platform.
Any fixes in the works? We are currently running firmware 2.2(3c). The release notes for 2.2(3d) and 2.2(3e) do not address CVE-2014-0118.
EDIT:
2.2(3f) also does not address these vulnerabilities. Does the UCS version of Apache use the modules that are found faulty according to Nessus?
Nessus is also reporting the following CVEs related to this one: CVE-2013-6438, CVE-2014-0098, CVE-2013-5704, CVE-2014-0226, and CVE-2014-0231.Hi,
Please refer this links,
Linux GHOST vulnerability (CVE-2015-0235) is not as scary as it looks | Symantec Connect
https://rhn.redhat.com/errata/RHSA-2015-0090.html
Regards,
S27 -
Are you aware about bash security issue CVE-2014-6271 ? Do you have a patch for that? The problem may exist in all Solaris versions.
The official communication is now posted to
https://blogs.oracle.com/security/entry/security_alert_cve_2014_7169 -
PCI Compliance Azure Websites (CVE-2014-6321)
Trying to gain PCI compliance of an azure website. Trustwave scan came back as a pass apart from the following:-
Vulnerability in Security Channel Could Allow Remote Code Execution (MS14-066)/CVE-2014-6321
Anything I can do? It's post 443 - we have a EV SSL certificate in IP Based SSL.I just had a conversation with Trustwave and they are going to disable this check while they figure out a detection without this false positive, so your scans should be fine now. Thank you Trustwave for such a quick response and turn around!
-
CSCur27617: AnyConnect vulnerable to POODLE attack (CVE-2014-3566) Win/Mac/Linux
I wanted to know if the AnyConnect Secure Mobility Client would still be vulnerable to this if it was only connecting via SSL VPN (TLS) to an ASA that already has the workaround implemented on it (Disable SSLv3)?
Thanks,
Rob MieleHi Rob ,
According to the bug:
All versions of desktop AnyConnect for Mac OS X and Linux prior to 3.1.00495 are vulnerable , so Anyconnect 3.1.06.073 is safe from POODLE vulnerability
On the Anyconnect you can disable the SSL using Ikev2 instead of the SSL protocols , however as the bug mention , the client creates a paralel ssl tunnel to get updates and profile from the router.
If you're asking to disable SSLv3 on the router , unfortunately there is not code yet , the workaround is to disable the webvpn or upgrade the VPN client.
As well here is the officil advisory for the POODLE vulnerbility on Cisco Products.
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141015-poodle
Hope it helps
- Randy - -
Sourcefire rule for CVE 2014-1692
Hi,
Please mention me the Sourcefire rule number for CVE 2014-1692.
Best Regards,
Jackson KuHi,
Thanks for your reply. Do you mean no Sourcefire rule for CVE 2014-1692 currently, and we should raise a TAC case to request?
Best Regards,
Jackson -
Bash vulnerability bash CVE-2014-6271 on Cisco devices
Hi, all,
Anybody know whether any Cisco devices are vulnerable to recent bash CVE-2014-6271? I am especially concerned about ASA which opens https to the public.
Thanks,Have a look here:
http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_Bash_09252014.html
and here:
http://tools.cisco.com/security/center/mcontent/CiscoSecurityAdvisory/cisco-sa-20140926-bash
Under affected products. -
Is patch available for CVE-2014-3566?
Is patch available for CVE-2014-3566?
Update your OS X to the latest version plus any security updates.
Pete -
Bash bug CVE-2014-6271 patch availability?
Hi everyone, does anyone know if Oracle has released a patch for the bash bug? CVE-2014-6271 link below.
NVD - Detail
I'm looking for a patch on el5uek and el6uek I'm using: 2.6.39-400.126.1.el5uek, 2.6.39-400.21.1.el6uek.x86_64
thanks!Check the following:
[root@vm110 ~]# yum -y install yum-security
[root@vm110 ~]# yum list-security | grep bash
This system is not registered with ULN.
You can use up2date --register to register.
ULN support will be disabled.
ELSA-2014-1293 security bash-3.2-33.el5.1.x86_64
[root@vm110 ~]# yum info-security ELSA-2014-1293
Loaded plugins: rhnplugin, security
This system is not registered with ULN.
You can use up2date --register to register.
ULN support will be disabled.
===============================================================================
bash security update
===============================================================================
Update ID : ELSA-2014-1293
Release : Oracle Linux 5
Type : security
Status : final
Issued : 2014-09-24
CVEs : CVE-2014-6271
Description : [4.1.2-15.1]
: - Check for fishy environment
: Resolves: #1141645
Solution : This update is available via the Unbreakable Linux Network (ULN)
: and the Oracle Public Yum Server. Details on how
: to use ULN or http://public-yum.oracle.com to
: apply this update are available at
: http://linux.oracle.com/applying_updates.html.
Rights : Copyright 2014 Oracle, Inc.
Severity : Critical
info-security done
[root@vm110 ~]# yum -y install bash-3.2-33.el5.1
If you cannot see the above and do not pay for a subscription, make sure you have correct yum repository setup.
See Oracle Public Yum Server for details.
To install:
[root@vm110 ~]# yum -y install bash-3.2-33.el5.1 -
Bash bug CVE-2014-6271 patch availability for OL4?
Hi,
Kindly advise how to download the CVE-2014-7169 CVE-2014-6271 security patches for Oracle Linux 4?
Rgds;
ShirleyExactly the same way as you would for OL5, OL6 or OL7: either connect your machine to the Unbreakable Linux Network or public-yum.oracle.com and use the up2date tool to upgrade bash.
-
Are any versions of Firefox susceptable to Heartbleed bug CVE-2014-0160 ?
Do any versions of Firefox use OpenSSL?
if so, which versions of Firefox would be vulnerable to the Heartbleed bug CVE-2014-0160 that has recently been identified.
As covered in:
http://heartbleed.com/
http://arstechnica.com/security/2014/04/critical-crypto-bug-in-openssl-opens-two-thirds-of-the-web-to-eavesdropping/An interesting article on the Heartbleed vulnerability and its probable extent
* http://arstechnica.com/security/2014/04/critical-crypto-bug-exposes-yahoo-mail-passwords-russian-roulette-style/ -
Regarding CVE-2014-0510, the CVE only references 12.0.0.77; however, none of the updates since address this CVE. Is this vulnerability still outstanding in current versions?
Hi,
As far as I know, ir41_32.ax 4.51.16.3 for Intel Indeo Video 4.5 allows remote attackers to cause a denial of service (crash) via a crafted .avi file.
If you are not using the above version of Intel Indeo Video, then systems are not affected.
In addition, it is recommended to keep Windows machines fully patched.
More information for you:
Vulnerability Summary for CVE-2014-3735
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3735
Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
Best Regards,
Amy
Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
[email protected]
Maybe you are looking for
-
Carriage Returns / Line Breaks & PDF
I have a requirement to display a customers address in 1 column of a PDF report. The address is stored in the RPD as Address1, Address2, etc. etc. I use the answer of the question "Carriage Returns / Line Breaks" as a basic startup. ( Question Regist
-
Windows Experience Index 5.9 - Do I Need A New Hard Drive?
System C Drive is an SSD, A is a RAID 0 (2 x 2 TB SATA III) and B is a RAID 0 (2 x 1.5 TB SATA II) The WEI was 7.2, but is now 5.9, because of 'Data Transfer Rate' I get no other fail indications. I performed the PPMB6, although the 'statistics' fun
-
My 15" MBP was bought last month. I started up my MBP this morning I heard the machine running sound and saw the power light turned on. However, the screen was totally black till loaded to the login page. I forced to shut down by pressing the power b
-
How to unlock foreign iPhone?
Hi, my iPhone is locked to a French network (I got it on a contract while studying in France). My French network operator has passed my details on to Apple for unlocking (I have checked twice). However when I restore it it doesn't get unlocked. I sus
-
10 important latest question on hr-abap please