[CVE-2014-3566] SSL Padding Oracle On Downgraded Legacy Encryption (POODLE) Vulnerability

Similar Messages

• SSL Padding Oracle On Downgraded Legacy Encryption (POODLE) Vulnerability for Smart Switch SG200-26 26 Port

  Hi,
  I am having a SSL Padding Oracle On Downgraded Legacy Encryption (POODLE) Vulnerability on my Smart Switch SG200-26 26Port. Does anyone know how to solve this vulnerability?

  Quick-link to the PSIRT verified Email Security (ESA) vulnerability information as well as workaround:-
  https://tools.cisco.com/bugsearch/bug/CSCur27131

• CSCur27617: AnyConnect vulnerable to POODLE attack (CVE-2014-3566) Win/Mac/Linux Question

  CSCur27617: AnyConnect vulnerable to POODLE attack (CVE-2014-3566) Win/Mac/Linux
  I wanted to know if the AnyConnect Secure Mobility Client would still be vulnerable to this if it was only connecting via SSL VPN (TLS) to an ASA that already has the workaround implemented on it (Disable SSLv3)?
  Thanks,
  Rob Miele

  Hi Rob , 
  According to the bug: 
  All versions of desktop AnyConnect for Mac OS X and Linux prior to 3.1.00495 are vulnerable , so Anyconnect 3.1.06.073 is safe from POODLE vulnerability 
  On the Anyconnect you can disable the SSL using Ikev2 instead of the SSL protocols , however as the bug mention , the client creates a paralel ssl tunnel to get updates and profile from the router.
  If you're asking to disable SSLv3 on the router , unfortunately there is not code yet , the workaround is to disable the webvpn or upgrade the VPN client.
  As well here is the officil advisory for the POODLE vulnerbility on Cisco Products.
  http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141015-poodle
  Hope it helps
  - Randy - 

• Is patch available for CVE-2014-3566?

  Is patch available for CVE-2014-3566?

  Update your OS X to the latest version plus any security updates.
  Pete

• Mitigting SSL v3 POODLE Vulnerability (CVE-2014-3566)

  Hi all,
  Another day, another vulnerability. Feel like we are swimming against the tide.
  Now, SSL v3 has been shown to be vulnerable (looks like a protocol issue, not an implementation issue, so patches are doubtful) and so I am looking at what we can do to mitigate this. Clients (such as IE, Firefox and Chrome (sort of)) can be set to disable SSL v3, but rolling this out across an Enterprise might not be that easy.
  In IIS (that would be running TMS) you can switch off SSL v3 via a reg edit, but are there any knock on effect? What about the web services built into CODECs, MCUs and other infrastructure devices - can SSL v3 be switched off?
  Look forward to the responses.
  Cheers
  Chris

  Hi All,
  This tidbit is not Cisco orientated per se, but some of you might find it useful (if you haven't found the info yourselves already (it's what I sent around to my team here):
  There are many things you can do to mitigate this vulnerability, as you can also disable SSL3 in various clients (although this might affect communication with legacy systems)
  Firefox – Version 34 (due for release at the end of November) will disable SSL v3 by default, but they have released a plug in that can disable this immediately. See https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/
  IE – You can turn off SSL 3 from the Settings -->Internet Options --> Advanced --> Security, section however, if you find that the options to check SSL/TLS are greyed out (as they are on my machine), this maybe a hang over from previous security software installation.
  However, I will override this using GPO so domain joined PCs will have this setting updated. The GPO applied to the domain is:
  Computer Setting --> Administrative Templates --> Windows Components --> Internet Explorer --> Internet Control Panel --> Advanced Page --> Turn Off Encryption Support = TLS 1.0, TLS 1.1, and TLS 1.2 ONLY
  Chrome – This is a little more difficult. It seem you can only do this at this moment in time by adding a switch to the start-up command (you can modify the shortcut on either Windows or Mac). Check out https://zmap.io/sslv3/browsers.html

• BUG #CSCur27131 - Evaluation of CVE-2014-3566 on Cisco Email Security Appliance

  I have raised a support case with TAC to try and get more information on the preferred config as well as what Ciphers then become available. Points raised in the support case are as follows:
  Current config based from existing artilce pre-POODLE > MEDIUM:HIGH:-SSLv2:-aNULL:@STRENGTH
  Should the new config be > MEDIUM:HIGH:-SSLv2:-SSLv3:-aNULL:@STRENGTH
  Use of strength meaning that the Ciphers are ordered and presented strongest to weakest as negotiation should occur at the first mutually accepted cipher.
  What are the TLSv1 Ciphers used by Ironport (verify under sslconfig CLI appears only to list SSL ciphers)
  Finally, does the Ironport support or plan to support in the future TLSv1.1 and TLSv1.2 ciphers?
  Response from TAC so far is the same as the referenced article - https://tools.cisco.com/bugsearch/bug/CSCur27131 which doesn't address all my points
  Paul

  Negating SSLv2 and SSLv3 in the cipher suite has no effect as long as only enabled TLSv1 is enabled.
  And reordering ciphers by strength won't bring anything since the client's ciphers order will always be preferred.
  Also, MD5 should be disabled as it's widely considered too weak for the job.
  My recommendation would be to use the following suite > HIGH:MEDIUM:!aNULL:!MD5

• CSCur27617 - AnyConnect vulnerable to POODLE attack and40;CVE-2014-3566

  Hello to all
  In CSCur27617 ist stated:
  Known Affected Releases:(1)3.1(5178)
  We are currently deploying 3.0.4235-k9
  Since this Vulnerability uses the SSL channel paralell to IPSec,
  I expect that 3.0.4235-k9 ist affected also.
  Ist this correct?
  Thanks Ernie

  Firmware 1.05.36 of MyCloud Mirror fixed that: http://community.wd.com/t5/WD-My-Cloud-Mirror/New-Release-My-Cloud-Mirror-Firmware-Release-1-05-36-7-8-2015/td-p/886778

• Schannel and TLS 1.x padding vulnerability (CVE-2014-8730)

  Hi all,
  Is the implementation of TLS by Microsoft Secure Channel (Schannel) (http://msdn.microsoft.com/en-us/library/windows/desktop/aa380123%28v=vs.85%29.aspx) affected by "CVE-2014-8730 TLS 1.x padding vulnerability"?
  Please see the following links for more details about this vulnerability:
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8730
  https://community.qualys.com/blogs/securitylabs/2014/12/08/poodle-bites-tls
  Is there a confirmation from Microsoft that Schannel is not affected by this vulnerability?
  Regards,
  Sanjay

  No, Microsoft SChannell is not affected.Only F5 products are affected:
  http://www.securityfocus.com/bid/71549
  Vadims Podāns, aka PowerShell CryptoGuy
  My weblog: en-us.sysadmins.lv
  PowerShell PKI Module: pspki.codeplex.com
  PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
  Check out new: SSL Certificate Verifier
  Check out new:
  PowerShell File Checksum Integrity Verifier tool.
  i know some Windows 2008 System which are affected?! Why?

• OpenSSL SSL/TLS Man-In-The-Middle Injection Attack CVE-2014-0224

  Can some help me to fix Open SSL Issue in Windows server 2008 R2 CVE-2014-0224 , Please advice

  Hi,
  From the description on Open SSL site, it is fixed in newer versions so could you update to the new version?
  https://www.openssl.org/news/vulnerabilities.html
  Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
  CVE-2014-0224: 5th June 2014
  An attacker can force the use of weak keying material in OpenSSL SSL/TLS clients and servers. This can be exploited by a Man-in-the-middle (MITM) attack where the attacker can decrypt and modify traffic from the attacked client and server. (original advisory).
  Reported by KIKUCHI Masashi (Lepidum Co. Ltd.).
  Fixed in OpenSSL 1.0.1h (Affected 1.0.1g, 1.0.1f, 1.0.1e, 1.0.1d, 1.0.1c, 1.0.1b, 1.0.1a, 1.0.1)
  Fixed in OpenSSL 1.0.0m (Affected 1.0.0l, 1.0.0k, 1.0.0j, 1.0.0i, 1.0.0g, 1.0.0f, 1.0.0e, 1.0.0d, 1.0.0c, 1.0.0b, 1.0.0a, 1.0.0)
  Fixed in OpenSSL 0.9.8za (Affected 0.9.8y, 0.9.8x, 0.9.8w, 0.9.8v, 0.9.8u, 0.9.8t, 0.9.8s, 0.9.8r, 0.9.8q, 0.9.8p, 0.9.8o, 0.9.8n, 0.9.8m, 0.9.8l, 0.9.8k, 0.9.8j, 0.9.8i, 0.9.8h, 0.9.8g, 0.9.8f, 0.9.8e, 0.9.8d, 0.9.8c, 0.9.8b, 0.9.8a, 0.9.8)
  If you have any feedback on our support, please send to [email protected]

• CVE-2014-6271 and CVE-2014-7169 / Oracle Linux

  Hi ,
  patches required to resolve the vulnerabilities described in CVE-2014-6271 and CVE-2014-7169 in Oracle linux 5 (x86) is "bash-3.2-33.el5_11.4.x86_64.rpm "
  from where i can get this patch, its not availible on support.oracle/patches !!
  Thanks,
  Thamer

  Your Oracle Linux system should be configured to automatically install packages either from the Unbreakable Linux Network or public-yum.oracle.com. You might want to ask your Linux sysadmin for assistance if your servers aren't already configured for updates.
  You can also check Chapter 1 and Chapter 2 of the Oracle Linux Administrator's Guide for more details on using ULN or public-yum: Oracle® Linux (it's for OL6 but the concepts are the same for OL5).

• Use TLS instead of SSL in Oracle AS WebCache 10g (10.1.2)

  Hi,
  We use Oracle AS Webcache as a reverse proxy for all our OAS/ADF web applications.
  Our sysadmin blocked SSL v3 icw POODLE vulnerability. Is there any way we can use TLS (1.2) instead of SSL in the Oracle Webcache 10g?
  Many thanks,
  Abraham

  We are having the same issue on production environment.
  Since Thursday 20th november 2014, Google Chrome does not allow connections to websites using SSLv3. This is because the POODLE vulnerability as described here: https://www.us-cert.gov/ncas/alerts/TA14-290A
  I've already followed the configuration on My Oracle Support (Doc ID 1936300.1) without success. But i didn't applied the Critical Patchs Updates yet as the presented note Doc ID 405972.1.
  I'm wondering if you found any workarround for this problem or if we can help each other. I believe we are not alone.
  Thanks,
  Jeison.

• Are you aware about bash security issue CVE-2014-6271 ? Do you have a patch for that? The problem may exist in all Solaris versions.

  Are you aware about bash security issue CVE-2014-6271 ? Do you have a patch for that? The problem may exist in all Solaris versions.

  The official communication is now posted to
      https://blogs.oracle.com/security/entry/security_alert_cve_2014_7169

• PCI Compliance Azure Websites (CVE-2014-6321)

  Trying to gain PCI compliance of an azure website. Trustwave scan came back as a pass apart from the following:-
  Vulnerability in Security Channel Could Allow Remote Code Execution (MS14-066)/CVE-2014-6321
  Anything I can do? It's post 443 - we have a EV SSL certificate in IP Based SSL.

  I just had a conversation with Trustwave and they are going to disable this check while they figure out a detection without this false positive, so your scans should be fine now. Thank you Trustwave for such a quick response and turn around!

• Bash bug  CVE-2014-6271 patch availability?

  Hi everyone, does anyone know if Oracle has released a patch for the bash bug?  CVE-2014-6271 link below.
  NVD - Detail
  I'm looking for a patch on el5uek and el6uek I'm using: 2.6.39-400.126.1.el5uek, 2.6.39-400.21.1.el6uek.x86_64
  thanks!

  Check the following:
  [root@vm110 ~]# yum -y install yum-security
  [root@vm110 ~]# yum list-security | grep bash
  This system is not registered with ULN.
  You can use up2date --register to register.
  ULN support will be disabled.
  ELSA-2014-1293 security bash-3.2-33.el5.1.x86_64
  [root@vm110 ~]# yum info-security ELSA-2014-1293
  Loaded plugins: rhnplugin, security
  This system is not registered with ULN.
  You can use up2date --register to register.
  ULN support will be disabled.
  ===============================================================================
     bash security update
  ===============================================================================
    Update ID : ELSA-2014-1293
      Release : Oracle Linux 5
         Type : security
       Status : final
       Issued : 2014-09-24
         CVEs : CVE-2014-6271
  Description : [4.1.2-15.1]
              : - Check for fishy environment
              :   Resolves: #1141645
     Solution : This update is available via the Unbreakable Linux Network (ULN)
              : and the Oracle Public Yum Server. Details on how
              : to use ULN or http://public-yum.oracle.com to
              : apply this update are available at
              : http://linux.oracle.com/applying_updates.html.
       Rights : Copyright 2014 Oracle, Inc.
     Severity : Critical
  info-security done
  [root@vm110 ~]# yum -y install bash-3.2-33.el5.1
  If you cannot see the above and do not pay for a subscription, make sure you have correct yum repository setup.
  See Oracle Public Yum Server for details.
  To install:
  [root@vm110 ~]# yum -y install bash-3.2-33.el5.1

• Bash bug  CVE-2014-6271 patch availability for OL4?

  Hi,
  Kindly advise how to download the CVE-2014-7169  CVE-2014-6271 security patches for Oracle Linux 4?
  Rgds;
  Shirley

  Exactly the same way as you would for OL5, OL6 or OL7: either connect your machine to the Unbreakable Linux Network or public-yum.oracle.com and use the up2date tool to upgrade bash.