[CVE-2014-3566] SSL Padding Oracle On Downgraded Legacy Encryption (POODLE) Vulnerability
Cisco is aware of the reported vulnerability and is currently investigating this report. Cisco is evaluating products to determine their exposure to this vulnerability.
Cisco has issued an official PSIRT notice for the SSL Padding Oracle On Downgraded Legacy Encryption (POODLE) Vulnerability
Please refer to the following information, as provided from our Product Security Incident Response Team (PSIRT):
SSL Padding Oracle On Downgraded Legacy Encryption (POODLE) Vulnerability
Complete information about reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco is available on Cisco.com at:
http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
This web page includes instructions for press inquiries regarding Cisco Security Advisories. All Cisco Security Advisories are available at:
http://www.cisco.com/go/psirt
Quick-link to the PSIRT verified Email Security (ESA) vulnerability information as well as workaround:-
https://tools.cisco.com/bugsearch/bug/CSCur27131
Similar Messages
-
Hi,
I am having a SSL Padding Oracle On Downgraded Legacy Encryption (POODLE) Vulnerability on my Smart Switch SG200-26 26Port. Does anyone know how to solve this vulnerability?Quick-link to the PSIRT verified Email Security (ESA) vulnerability information as well as workaround:-
https://tools.cisco.com/bugsearch/bug/CSCur27131 -
CSCur27617: AnyConnect vulnerable to POODLE attack (CVE-2014-3566) Win/Mac/Linux
I wanted to know if the AnyConnect Secure Mobility Client would still be vulnerable to this if it was only connecting via SSL VPN (TLS) to an ASA that already has the workaround implemented on it (Disable SSLv3)?
Thanks,
Rob MieleHi Rob ,
According to the bug:
All versions of desktop AnyConnect for Mac OS X and Linux prior to 3.1.00495 are vulnerable , so Anyconnect 3.1.06.073 is safe from POODLE vulnerability
On the Anyconnect you can disable the SSL using Ikev2 instead of the SSL protocols , however as the bug mention , the client creates a paralel ssl tunnel to get updates and profile from the router.
If you're asking to disable SSLv3 on the router , unfortunately there is not code yet , the workaround is to disable the webvpn or upgrade the VPN client.
As well here is the officil advisory for the POODLE vulnerbility on Cisco Products.
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141015-poodle
Hope it helps
- Randy - -
Is patch available for CVE-2014-3566?
Is patch available for CVE-2014-3566?
Update your OS X to the latest version plus any security updates.
Pete -
Mitigting SSL v3 POODLE Vulnerability (CVE-2014-3566)
Hi all,
Another day, another vulnerability. Feel like we are swimming against the tide.
Now, SSL v3 has been shown to be vulnerable (looks like a protocol issue, not an implementation issue, so patches are doubtful) and so I am looking at what we can do to mitigate this. Clients (such as IE, Firefox and Chrome (sort of)) can be set to disable SSL v3, but rolling this out across an Enterprise might not be that easy.
In IIS (that would be running TMS) you can switch off SSL v3 via a reg edit, but are there any knock on effect? What about the web services built into CODECs, MCUs and other infrastructure devices - can SSL v3 be switched off?
Look forward to the responses.
Cheers
ChrisHi All,
This tidbit is not Cisco orientated per se, but some of you might find it useful (if you haven't found the info yourselves already (it's what I sent around to my team here):
There are many things you can do to mitigate this vulnerability, as you can also disable SSL3 in various clients (although this might affect communication with legacy systems)
Firefox – Version 34 (due for release at the end of November) will disable SSL v3 by default, but they have released a plug in that can disable this immediately. See https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/
IE – You can turn off SSL 3 from the Settings -->Internet Options --> Advanced --> Security, section however, if you find that the options to check SSL/TLS are greyed out (as they are on my machine), this maybe a hang over from previous security software installation.
However, I will override this using GPO so domain joined PCs will have this setting updated. The GPO applied to the domain is:
Computer Setting --> Administrative Templates --> Windows Components --> Internet Explorer --> Internet Control Panel --> Advanced Page --> Turn Off Encryption Support = TLS 1.0, TLS 1.1, and TLS 1.2 ONLY
Chrome – This is a little more difficult. It seem you can only do this at this moment in time by adding a switch to the start-up command (you can modify the shortcut on either Windows or Mac). Check out https://zmap.io/sslv3/browsers.html -
BUG #CSCur27131 - Evaluation of CVE-2014-3566 on Cisco Email Security Appliance
I have raised a support case with TAC to try and get more information on the preferred config as well as what Ciphers then become available. Points raised in the support case are as follows:
Current config based from existing artilce pre-POODLE > MEDIUM:HIGH:-SSLv2:-aNULL:@STRENGTH
Should the new config be > MEDIUM:HIGH:-SSLv2:-SSLv3:-aNULL:@STRENGTH
Use of strength meaning that the Ciphers are ordered and presented strongest to weakest as negotiation should occur at the first mutually accepted cipher.
What are the TLSv1 Ciphers used by Ironport (verify under sslconfig CLI appears only to list SSL ciphers)
Finally, does the Ironport support or plan to support in the future TLSv1.1 and TLSv1.2 ciphers?
Response from TAC so far is the same as the referenced article - https://tools.cisco.com/bugsearch/bug/CSCur27131 which doesn't address all my points
PaulNegating SSLv2 and SSLv3 in the cipher suite has no effect as long as only enabled TLSv1 is enabled.
And reordering ciphers by strength won't bring anything since the client's ciphers order will always be preferred.
Also, MD5 should be disabled as it's widely considered too weak for the job.
My recommendation would be to use the following suite > HIGH:MEDIUM:!aNULL:!MD5 -
CSCur27617 - AnyConnect vulnerable to POODLE attack and40;CVE-2014-3566
Hello to all
In CSCur27617 ist stated:
Known Affected Releases:(1)3.1(5178)
We are currently deploying 3.0.4235-k9
Since this Vulnerability uses the SSL channel paralell to IPSec,
I expect that 3.0.4235-k9 ist affected also.
Ist this correct?
Thanks ErnieFirmware 1.05.36 of MyCloud Mirror fixed that: http://community.wd.com/t5/WD-My-Cloud-Mirror/New-Release-My-Cloud-Mirror-Firmware-Release-1-05-36-7-8-2015/td-p/886778
-
Schannel and TLS 1.x padding vulnerability (CVE-2014-8730)
Hi all,
Is the implementation of TLS by Microsoft Secure Channel (Schannel) (http://msdn.microsoft.com/en-us/library/windows/desktop/aa380123%28v=vs.85%29.aspx) affected by "CVE-2014-8730 TLS 1.x padding vulnerability"?
Please see the following links for more details about this vulnerability:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8730
https://community.qualys.com/blogs/securitylabs/2014/12/08/poodle-bites-tls
Is there a confirmation from Microsoft that Schannel is not affected by this vulnerability?
Regards,
SanjayNo, Microsoft SChannell is not affected.Only F5 products are affected:
http://www.securityfocus.com/bid/71549
Vadims Podāns, aka PowerShell CryptoGuy
My weblog: en-us.sysadmins.lv
PowerShell PKI Module: pspki.codeplex.com
PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
Check out new: SSL Certificate Verifier
Check out new:
PowerShell File Checksum Integrity Verifier tool.
i know some Windows 2008 System which are affected?! Why? -
OpenSSL SSL/TLS Man-In-The-Middle Injection Attack CVE-2014-0224
Can some help me to fix Open SSL Issue in Windows server 2008 R2 CVE-2014-0224 , Please advice
Hi,
From the description on Open SSL site, it is fixed in newer versions so could you update to the new version?
https://www.openssl.org/news/vulnerabilities.html
Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
CVE-2014-0224: 5th June 2014
An attacker can force the use of weak keying material in OpenSSL SSL/TLS clients and servers. This can be exploited by a Man-in-the-middle (MITM) attack where the attacker can decrypt and modify traffic from the attacked client and server. (original advisory).
Reported by KIKUCHI Masashi (Lepidum Co. Ltd.).
Fixed in OpenSSL 1.0.1h (Affected 1.0.1g, 1.0.1f, 1.0.1e, 1.0.1d, 1.0.1c, 1.0.1b, 1.0.1a, 1.0.1)
Fixed in OpenSSL 1.0.0m (Affected 1.0.0l, 1.0.0k, 1.0.0j, 1.0.0i, 1.0.0g, 1.0.0f, 1.0.0e, 1.0.0d, 1.0.0c, 1.0.0b, 1.0.0a, 1.0.0)
Fixed in OpenSSL 0.9.8za (Affected 0.9.8y, 0.9.8x, 0.9.8w, 0.9.8v, 0.9.8u, 0.9.8t, 0.9.8s, 0.9.8r, 0.9.8q, 0.9.8p, 0.9.8o, 0.9.8n, 0.9.8m, 0.9.8l, 0.9.8k, 0.9.8j, 0.9.8i, 0.9.8h, 0.9.8g, 0.9.8f, 0.9.8e, 0.9.8d, 0.9.8c, 0.9.8b, 0.9.8a, 0.9.8)
If you have any feedback on our support, please send to [email protected] -
CVE-2014-6271 and CVE-2014-7169 / Oracle Linux
Hi ,
patches required to resolve the vulnerabilities described in CVE-2014-6271 and CVE-2014-7169 in Oracle linux 5 (x86) is "bash-3.2-33.el5_11.4.x86_64.rpm "
from where i can get this patch, its not availible on support.oracle/patches !!
Thanks,
ThamerYour Oracle Linux system should be configured to automatically install packages either from the Unbreakable Linux Network or public-yum.oracle.com. You might want to ask your Linux sysadmin for assistance if your servers aren't already configured for updates.
You can also check Chapter 1 and Chapter 2 of the Oracle Linux Administrator's Guide for more details on using ULN or public-yum: Oracle® Linux (it's for OL6 but the concepts are the same for OL5). -
Use TLS instead of SSL in Oracle AS WebCache 10g (10.1.2)
Hi,
We use Oracle AS Webcache as a reverse proxy for all our OAS/ADF web applications.
Our sysadmin blocked SSL v3 icw POODLE vulnerability. Is there any way we can use TLS (1.2) instead of SSL in the Oracle Webcache 10g?
Many thanks,
AbrahamWe are having the same issue on production environment.
Since Thursday 20th november 2014, Google Chrome does not allow connections to websites using SSLv3. This is because the POODLE vulnerability as described here: https://www.us-cert.gov/ncas/alerts/TA14-290A
I've already followed the configuration on My Oracle Support (Doc ID 1936300.1) without success. But i didn't applied the Critical Patchs Updates yet as the presented note Doc ID 405972.1.
I'm wondering if you found any workarround for this problem or if we can help each other. I believe we are not alone.
Thanks,
Jeison. -
Are you aware about bash security issue CVE-2014-6271 ? Do you have a patch for that? The problem may exist in all Solaris versions.
The official communication is now posted to
https://blogs.oracle.com/security/entry/security_alert_cve_2014_7169 -
PCI Compliance Azure Websites (CVE-2014-6321)
Trying to gain PCI compliance of an azure website. Trustwave scan came back as a pass apart from the following:-
Vulnerability in Security Channel Could Allow Remote Code Execution (MS14-066)/CVE-2014-6321
Anything I can do? It's post 443 - we have a EV SSL certificate in IP Based SSL.I just had a conversation with Trustwave and they are going to disable this check while they figure out a detection without this false positive, so your scans should be fine now. Thank you Trustwave for such a quick response and turn around!
-
Bash bug CVE-2014-6271 patch availability?
Hi everyone, does anyone know if Oracle has released a patch for the bash bug? CVE-2014-6271 link below.
NVD - Detail
I'm looking for a patch on el5uek and el6uek I'm using: 2.6.39-400.126.1.el5uek, 2.6.39-400.21.1.el6uek.x86_64
thanks!Check the following:
[root@vm110 ~]# yum -y install yum-security
[root@vm110 ~]# yum list-security | grep bash
This system is not registered with ULN.
You can use up2date --register to register.
ULN support will be disabled.
ELSA-2014-1293 security bash-3.2-33.el5.1.x86_64
[root@vm110 ~]# yum info-security ELSA-2014-1293
Loaded plugins: rhnplugin, security
This system is not registered with ULN.
You can use up2date --register to register.
ULN support will be disabled.
===============================================================================
bash security update
===============================================================================
Update ID : ELSA-2014-1293
Release : Oracle Linux 5
Type : security
Status : final
Issued : 2014-09-24
CVEs : CVE-2014-6271
Description : [4.1.2-15.1]
: - Check for fishy environment
: Resolves: #1141645
Solution : This update is available via the Unbreakable Linux Network (ULN)
: and the Oracle Public Yum Server. Details on how
: to use ULN or http://public-yum.oracle.com to
: apply this update are available at
: http://linux.oracle.com/applying_updates.html.
Rights : Copyright 2014 Oracle, Inc.
Severity : Critical
info-security done
[root@vm110 ~]# yum -y install bash-3.2-33.el5.1
If you cannot see the above and do not pay for a subscription, make sure you have correct yum repository setup.
See Oracle Public Yum Server for details.
To install:
[root@vm110 ~]# yum -y install bash-3.2-33.el5.1 -
Bash bug CVE-2014-6271 patch availability for OL4?
Hi,
Kindly advise how to download the CVE-2014-7169 CVE-2014-6271 security patches for Oracle Linux 4?
Rgds;
ShirleyExactly the same way as you would for OL5, OL6 or OL7: either connect your machine to the Unbreakable Linux Network or public-yum.oracle.com and use the up2date tool to upgrade bash.
Maybe you are looking for
-
Archiving in Reciever file adapter
Hi . can any one plz help me in <b>archiving file's in reciever file adapter</b> . thanks shakif
-
Urgent: Reports Output File location on 9iAS -Repost:
Hi, Reference my earlier posts last one appended below: 1- Jun 12, 2006 6:39 AM 2- Jun 13, 2006 10:08 PM Please help me my manager is now getting upset. Or at least point me to the list of documents that I should study to sort this problem out. Thank
-
Using G4 iTunes to connect to pre-amp
Is the headphone port my only way of sending iTunes to my pre-amp? If not, can I use the firewire or a USB port (or something else)? Will I get better signal quality by using the latter?
-
how to get elive tab
-
"I did fresh restore, reset all setting and reboot the issue still there. I hope Apple don't forget us to solve this issue soon