IOS SSL Vulnerability

Can anyone point me to the right tech doc that discusses the SSL flaw? My iPod Touch runs the latest version of iOS 5 and I refuse to update to iOS 6.1.6. Does the flaw affect any version of iOS 5?

There was a post on that subject a couple of days ago. The flaw is not in iOS 5, only iOS 6 and iOS 7 prior to the most recent update.

Similar Messages

SSL vulnerability

I am currently investigating the recent SSL vulnerability announced by Cisco,
http://www.cisco.com/en/US/products/products_security_advisory09186a0080847c49.shtml
I would like to know if our SSL modules (WS-SVC-SSL-1) running version 3.1(1) are affected by this? I have checked the latest release notes for version 3.1(2) and there is no mention of the three bugs relating to this vulnerability.
Can anyone please assist?

Refer the following release notes link for more details
http://www.cisco.com/en/US/products/hw/switches/ps708/prod_release_note09186a00805eceab.html

IOS 7.06 SSL vulnerability CVE 2014-1266

Apple begins to fix the problems with SSL validation that can lead to MITM attacks. If they choose to move a step further they can also validate a DN which corresponds to a Directory entry and enable another layer of security. If certificates are going to be used for business and medical uses a failure to authenticate critical parts of the certificate detailed in RFC-5280 will lead to economic losses and potential medical errors.

What is your question for us, your fellow users, in these user to user support forums?

Cisco IOS SSL VPN Not Working - Internet Explorer

Hi All,
I seem to be having a strange SSL VPN issue. I have a Cisco 877 router with c870-advsecurityk9-mz.124-24.T4.bin and I cannot get the SSL VPN (Web VPN) working with Internet Explorer (tried both IE8 on XP and IE9 on Windows 7). Whenever I browse to https://x.x.x.x, I get "Internet Explorer Cannot Display The Webpage". It sort of works with Chrome (I can get the webpage and login, but I can't start the thin client, when I click on Start, nothing happens). It only seems to work with Firefox. It seems quite similar to this issue with the ASAs - http://www.infoworld.com/d/applications/cisco-asa-users-cant-use-ssl-vpns-ie-8-901
Below is the config snippet:
username vpntest password XXXXX
aaa authentication login default local
crypto pki trustpoint TP-self-signed-1873082433
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1873082433
revocation-check none
rsakeypair TP-self-signed-1873082433
crypto pki certificate chain TP-self-signed-1873082433
certificate self-signed 01
--- omitted ---
        quit
webvpn gateway SSLVPN
hostname Router
ip address X.X.X.X port 443
ssl encryption aes-sha1
ssl trustpoint TP-self-signed-1873082433
inservice
webvpn context SSLVPN
title "Blah Blah"
ssl authenticate verify all
login-message "Enter the magic words..."
port-forward "PortForwardList"
   local-port 33389 remote-server "10.0.1.3" remote-port 3389 description "RDP"
policy group SSL-Policy
   port-forward "PortForwardList" auto-download
default-group-policy SSL-Policy
gateway SSLVPN
max-users 3
inservice
I've tried:
*Enabling SSL 2.0 in IE
*Adding the site to the Trusted Sites in IE
*Adding it to the list of sites allowed to use Cookies
At a loss to figure this out. Has anyone else come across this before? Considering the Cisco website itself shows an example using IE (http://www.cisco.com/en/US/products/ps6496/products_configuration_example09186a008072aa61.shtml), surely it should work in IE you'd think?
Thanks

Hi,
I would check where exactly it is failing, either in the ssl connection itself or something after that. The best way to do that is run a wireshark capture when you try to access the page using IE. You can compare this with the one with Mozilla too just to confirm the ssl is working fine.
Also can you try with different SSL ciphers as one difference between browsers is the ciphers they use. 3des should be a good option to try.

IOS SSL VPN application issues

Hi,
I have setup WEBVPN with the SSL client on a Cisco 2811. The WebVPN gateway is via a loopback address on the router, so I NAT port 443 to this address as it enters the ADSL interface.
Everything works great apart from when I try to access an internal address on the router itself (such as the internal LAN 192.168.0.1).
If I try to telnet to this address I connect but then spurious characters appear and the session hangs. I also cannot access the CME web pages via this address.
I have tried disabling CEF to see if some weird internal issue is the problem but that did not fix it.
Anyone else experienced this?
Thanks
Scott

Farrukh,
As requested please see related config below:
aaa new-model
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authentication login sdm_vpn_xauth_ml_2 local
aaa authentication login sdm_vpn_xauth_ml_3 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
ip cef
crypto pki trustpoint TP-self-signed-569873274
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-569873274
revocation-check none
rsakeypair TP-self-signed-569873274
crypto pki certificate chain TP-self-signed-569873274
certificate self-signed 01
interface GigabitEthernet1/0
description $SWDMADDR:192.168.0.2$
ip address 10.0.0.1 255.255.255.0
no ip route-cache cef
interface GigabitEthernet1/0.1
encapsulation dot1Q 1 native
ip address 192.168.0.1 255.255.255.0
ip access-group 100 in
ip nat inside
ip virtual-reassembly
no ip route-cache same-interface
interface GigabitEthernet1/0.20
encapsulation dot1Q 20
ip address 192.168.20.1 255.255.255.0
ip helper-address 10.0.0.1
no ip route-cache same-interface
interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
ip access-group 101 in
ip mtu 1452
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ip local pool TEST 192.168.20.200 192.168.20.240
ip route 0.0.0.0 0.0.0.0 Dialer0 permanent
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
access-list 101 remark WEBVPN
access-list 101 permit tcp any host 203.206.169.63 eq 443
access-list 101 deny ip any any log
route-map SDM_RMAP_1 permit 1
match ip address 102
webvpn gateway gateway_1
ip address 203.206.169.63 port 443
ssl trustpoint TP-self-signed-569873274
inservice
webvpn install svc flash:/webvpn/svc_1.pkg sequence 1
webvpn context Default_context
ssl authenticate verify all
no inservice
webvpn context visicom
secondary-color white
title-color #669999
text-color black
ssl authenticate verify all
url-list "WEB"
heading "Welcome"
url-text "OWA" url-value "http://192.168.0.10/exchange"
policy group policy_1
url-list "WEB"
functions svc-enabled
svc address-pool "TEST"
svc keep-client-installed
svc rekey method new-tunnel
svc split include 192.168.0.0 255.255.255.0
svc split include 192.168.20.0 255.255.255.0
svc split include 10.10.10.0 255.255.255.0
default-group-policy policy_1
aaa authentication list sdm_vpn_xauth_ml_3
gateway gateway_1
inservice

IOS SSL VPN WITH RADIUS Authorization

Hi
I'm trying to authenitcate and authorize the users loggining into SSLVPN via ACS and although the ACS loggs and "TEST" command on the router shw succeeful authentication i receive the flollowing debug
*Jun 6 22:39:50.157: %SSLVPN-5-SSL_TLS_CONNECT_OK: vw_ctx: UNKNOWN vw_gw: SSLVPN i_vrf: 0 f_vrf: 0 status: SSL/TLS connection successful with remote at 10.0.0.100:4346
Rack1R1(config)#
*Jun 6 22:40:09.409: %SSLVPN-5-SSL_TLS_CONNECT_OK: vw_ctx: UNKNOWN vw_gw: SSLVPN i_vrf: 0 f_vrf: 0 status: SSL/TLS connection successful with remote at 10.0.0.100:4357
Rack1R1(config)#
*Jun 6 22:40:21.409: WV-AAA: AAA authentication request sent for user: "SSLUSER"
*Jun 6 22:40:21.409: RADIUS/ENCODE(00000000):Orig. component type = INVALID
*Jun 6 22:40:21.409: RADIUS/ENCODE(00000000): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
*Jun 6 22:40:21.409: RADIUS(00000000): Config NAS IP: 150.1.1.1
*Jun 6 22:40:21.409: RADIUS(00000000): sending
*Jun 6 22:40:21.409: RADIUS(00000000): Send Access-Request to 10.0.0.100:1645 id 1645/27, len 60
*Jun 6 22:40:21.409: RADIUS: authenticator AC 16 B3 54 46 72 37 05 - 4C 00 19 21 81 97 40 6E
*Jun 6 22:40:21.409: RADIUS: User-Name           [1]   16 "SSLUSER@SSLVPN"
Rack1R1(config)#
*Jun 6 22:40:21.409: RADIUS: User-Password       [2]   18 *
*Jun 6 22:40:21.409: RADIUS: NAS-IP-Address      [4]   6   150.1.1.1
*Jun 6 22:40:21.669: RADIUS: Received from id 1645/27 10.0.0.100:1645, Access-Accept, len 282
*Jun 6 22:40:21.669: RADIUS: authenticator 2D 2C B0 39 89 4C 41 88 - 40 32 E2 09 0D 7F 6B 0C
*Jun 6 22:40:21.669: RADIUS: Framed-IP-Address   [8]   6   255.255.255.255
*Jun 6 22:40:21.669: RADIUS: Vendor, Cisco       [26] 28
*Jun 6 22:40:21.669: RADIUS:   Cisco AVpair       [1]   22 "webvpn:svc-enabled=1"
*Jun 6 22:40:21.669: RADIUS: Vendor, Cisco       [26] 29
*Jun 6 22:40:21.669: RADIUS:   Cisco AVpair       [1]   23 "webvpn:svc-required=1"
*Jun 6 22:40:21.669: RADIUS: Vendor, Cisco       [26] 50
*Jun 6 22:40:21.669: RADIUS:   Cisco AVpair       [1]   44 "webvpn:split-include=6.6.6.0 255.255.255.0"
*Jun 6 22:40:21.669: RADIUS: Vendor, Cisco       [26] 35
*Jun 6 22:40:21.669: RADIUS:   Cisco AVpair       [1]   29 "webvpn:keep-svc-installed=1"
*Jun 6 22:40:21.669: RADIUS: Vendor, Cisco       [26] 31
*Jun 6 22:40:21.669: RADIUS:   Cisco AVpair       [1]   25 "webvpn:addr-pool=SSLVPN"
*Jun 6 22:40:21.669: RADIUS: Vendor, Cisco       [26] 41
*Jun 6 22:40:21.669: RADIUS: Service-Type        [6]   6   Outbound                  [5]
*Jun 6 22:40:21.669: RADIUS: Class               [25] 36
*Jun 6 22:40:21.669: RADIUS:   43 41 43 53 3A 30 2F 34 37 30 2F 39 36 30 31 30 [CACS:0/470/96010]
*Jun 6 22:40:21.669: RADIUS:   31 30 31 2F 53 53 4C 55 53 45 52 40 53 53 4C 56 [101/SSLUSER@SSLV]
*Jun 6 22:40:21.669: RADIUS:   50 4E                                            [PN]
*Jun 6 22:40:21.673: RADIUS(00000000): Received from id 1645/27
*Jun 6 22:40:21.673: RADIUS(00000000): Unique id not in use
Rack1R1(config)#
*Jun 6 22:40:21.673: RADIUS/DECODE(00000000): There is no RADIUS DB Some Radius attributes may not be stored
*Jun 6 22:40:21.673: AAA/AUTHOR (0x0): Pick method list 'RAD'
Rack1R1(config)#
*Jun 6 22:40:23.673: WV-AAA: AAA Authentication Failed!
Rack1R1(config)#
*Jun 6 22:40:24.069: %SSLVPN-5-SSL_TLS_CONNECT_OK: vw_ctx: UNKNOWN vw_gw: SSLVPN i_vrf: 0 f_vrf: 0 status: SSL/TLS connection successful with remote at 10.0.0.100:4359
Rack1R1(config)#
router Configuration
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname Rack1R1
boot-start-marker
boot-end-marker
! card type command needed for slot/vwic-slot 0/1
logging message-counter syslog
enable password cisco
aaa new-model
aaa authentication login RAD group radius
aaa authorization network RAD group radius
aaa session-id common
dot11 syslog
ip source-route
ip cef
no ip domain lookup
ip domain name INE.com
ip host cisco.com 136.1.121.1
ip host www.cisco.com 136.1.121.1
ip host www.google.com 136.1.121.1
ip host www.ripe.net 136.1.121.1
no ipv6 cef
multilink bundle-name authenticated
crypto pki trustpoint TP-self-signed-3354934498
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3354934498
revocation-check none
rsakeypair TP-self-signed-3354934498
crypto pki certificate chain TP-self-signed-3354934498
certificate self-signed 01
30820247 308201B0 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33333534 39333434 3938301E 170D3132 30363036 31333030
32375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 33353439
33343439 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B1E5 889BEB9A 31DFC0D4 7C7F698F 0F52E404 0849263A BD443A96 13C6A440
DCBD4345 EF301E91 0D4AADD9 3C2A17F2 E26E5E96 90F96809 D8FCCF32 7EB58100
74E4772C 6395E03C 1B7F1AF5 482F861F DD62D079 F9977FE2 0E544E18 5FAAF290
DF665B45 EF10D3EC D924E87A 5F827F07 06DE8961 F361C3FA EDBE5F68 452221C8
B9570203 010001A3 6F306D30 0F060355 1D130101 FF040530 030101FF 301A0603
551D1104 13301182 0F526163 6B315231 2E494E45 2E636F6D 301F0603 551D2304
18301680 140B00B8 FD9B58CF 8A6F51BE 25DEC6C5 85E14495 05301D06 03551D0E
04160414 0B00B8FD 9B58CF8A 6F51BE25 DEC6C585 E1449505 300D0609 2A864886
F70D0101 04050003 81810006 4192E2DB ABAF533E 9C4BF24E DF6BFD45 144A6AE9
C874E311 27B23E7B E8DB18C3 4FFB4ACA 4B09F63E 62501578 D8F58D73 D08F016F
49C99B8D DA1073E5 A141C1C7 505BD191 FC58EA7F 54BD9B98 579E1726 7C1CA619
A45DDABC 8F315EE9 D20A30A8 2BD5D67D B744BD69 353B4670 E5BA4540 47059E60
9DC4C940 E91AACBB 4EAFFA
        quit
username admin privilege 15 password 0 admin
username SSLUSER@SSLVPN password 0 cisco
archive
log config
hidekeys
crypto ipsec client ezvpn EZVPN_CLIENT
connect auto
mode client
xauth userid mode interactive
ip tcp synwait-time 5
interface Loopback0
ip address 150.1.1.1 255.255.255.0
interface Loopback6
ip address 6.6.6.6 255.255.255.0
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
interface FastEthernet0/1
no ip address
duplex auto
speed auto
interface FastEthernet0/1.11
encapsulation dot1Q 12
ip address 136.1.11.1 255.255.255.0
interface FastEthernet0/1.121
encapsulation dot1Q 121
ip address 136.1.121.1 255.255.255.0
interface FastEthernet0/0/0
interface FastEthernet0/0/1
interface FastEthernet0/0/2
interface FastEthernet0/0/3
interface Virtual-Template1 type tunnel
no ip address
tunnel mode ipsec ipv4
interface Vlan1
no ip address
router rip
version 2
passive-interface FastEthernet0/1.11
network 136.1.0.0
network 150.1.0.0
no auto-summary
ip local pool SSLVPN 40.0.0.1 40.0.0.254
ip forward-protocol nd
ip route 10.0.0.0 255.255.255.0 136.1.121.12
ip http server
ip http secure-server
ip dns server
ip access-list extended SPLIT
permit ip 136.1.11.0 0.0.0.255 10.0.0.0 0.0.0.255
ip radius source-interface Loopback0
radius-server host 10.0.0.100 auth-port 1645 acct-port 1646 key CISCO
control-plane
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
line vty 0 4
password cisco
scheduler allocate 20000 1000
webvpn gateway SSLVPN
ip interface Loopback0 port 443
http-redirect port 80
ssl encryption rc4-md5
ssl trustpoint TP-self-signed-3354934498
logging enable
inservice
webvpn install svc flash:/webvpn/anyconnect-win-2.5.3055-k9.pkg sequence 1
webvpn context SSLVPN
title "**SSLVPN **"
ssl encryption rc4-md5
ssl authenticate verify all
aaa authentication list RAD
aaa authentication domain @SSLVPN
aaa authorization list RAD
gateway SSLVPN
inservice
end
Any Idea?

Hi,
As I understand , you need to know if you can assign static ip to a user and also is there any other way of assiging a ip other than local pool.
There are three ways of assinging an ip address to VPN client: using local pool, AAA server,DHCP.
You can use the following link for more information:-
Assigning static ip for user present locally on ASA:-
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080a7afb2.shtml
For user present on Active Directory:-
http://technet.microsoft.com/en-us/library/cc786213%28WS.10%29.aspx
The following is the link for assigning ip address using DHCP:-
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080a66bc6.shtml
I hope it helps.
Thanks,
Shilpa

IOS SSL VPN problem

I am implementing a SSL VPN with IOS version 12.4(13r)T5 on a 2801 but when I try to connect to the tunnel mode with the latest svc (anyconnect-win-2.2.0133-web-deploy-k9.exe) with https://1.2.3.4/tunnel the ssl vpn client can't connect.
The error on the router is:
Jun 5 16:07:55.755: WV: Appl. processing Failed : 2
Jun 5 16:07:55.755: WV: server side not ready to send.
The following is the configuration:
ip local pool WEBVPN 10.0.0.140 10.0.0.150 group vpn2
webvpn gateway ISR2801-RM
hostname ISR2801-RM
ip address 1.2.3.4 port 443
ssl trustpoint TP-self-signed-50153718
inservice
webvpn install svc flash:/webvpn/svc.pkg
webvpn install csd flash:/webvpn/sdesktop.pkg
webvpn context vpn1
ssl authenticate verify all
url-list "eng"
url-text "wwwin-eng" url-value "http://wwwin-eng.cisco.com"
policy group vpn1
url-list "eng"
default-group-policy vpn1
gateway ISR2801-RM domain clientless
inservice
webvpn context vpn2
ssl authenticate verify all
policy group vpn2tunnel
functions svc-enabled
svc address-pool "WEBVPN"
svc split include 10.0.0.2 255.255.255.255
default-group-policy vpn2tunnel
gateway ISR2801-RM domain tunnel
inservice

Thanks for the reply !!!!
the configation is the following:
interface Ethernet 0
ip address 10.0.0.128 255.255.255.0
ip http secure-server
ip local pool WEBVPN 10.0.0.140 10.0.0.150 group policy-sslvpn2
webvpn gateway ISR2801-RM
hostname ISR2801-RM
ip address 1.2.3.4 port 443
ssl trustpoint TP-self-signed-50153718
ssl encryption aes-sha1
inservice
webvpn install svc flash:/webvpn/svc.pkg
webvpn install csd flash:/webvpn/sdesktop.pkg
webvpn context context-sslvpn1
ssl authenticate verify all
user-profile location flash:webvpn/sslvpn/context-sslvpn1/
url-list "eng"
url-text "wwwin-eng" url-value "http://wwwin-eng.cisco.com"
nbns-list cifs-servers
nbns-server 172.16.1.1 master
nbns-server 172.16.2.2 timeout 10 retries 5
nbns-server 172.16.3.3 timeout 10 retries 5
login-message "UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED. You must have explicit permission to access this device. All activities performed on
this device are logged and violations of this policy may result in disciplinary action."
port-forward "portlist"
local-port 30019 remote-server ssh-server remote-port 22 description SSH
local-port 30020 remote-server mailserver remote-port 143 description IMAP
local-port 30021 remote-server mailserver remote-port 110 description POP3
local-port 30022 remote-server mailserver remote-port 25 description SMTP
policy group policy-sslvpn1
url-list "eng"
port-forward "portlist"
nbns-list "cifs-servers"
functions file-access
functions file-browse
functions file-entry
citrix enabled
default-group-policy policy-sslvpn1
gateway ISR2801-RM domain clientless
inservice
webvpn context context-sslvpn2
ssl authenticate verify all
user-profile location flash:webvpn/sslvpn/context-sslvpn2/
policy group policy-sslvpn2
functions svc-enabled
svc address-pool "WEBVPN"
svc keep-client-installed
svc dpd-interval gateway 30
svc dpd-interval client 300
svc rekey method new-tunnel
svc rekey time 3600
svc split include 10.0.0.0 255.255.255.0
svc default-domain cisco.com
svc dns-server primary 192.168.3.1
svc dns-server secondary 192.168.4.1
default-group-policy policy-sslvpn2
gateway ISR2801-RM domain tunnel
inservice
ISR2801-RM#show webvpn install status svc
SSLVPN Package SSL-VPN-Client version installed:
CISCO STC win2k+
2,2,0133
Mon 05/19/2008 12:58:52.34 v
ISR2801-RM#
WHEN I TRY TO CONNECT TO THE SSL CONTEXT 2 with a client
https://1.2.3.4/tunnel
* the ssl client installed on the pc tell me can't connect.
* on the router the log:
Jun 6 10:28:08.283:
Jun 6 10:28:08.283:
Jun 6 10:28:08.283: WV: Entering APPL with Context: 0x6AA85130,
Data buffer(buffer: 0x6C4B4280, data: 0xF5C043D8, len: 560,
offset: 0, domain: 0)
Jun 6 10:28:08.283: CONNECT /CSCOSSLC/tunnel HTTP/1.1
Jun 6 10:28:08.283: Host: host4-234-static.105-80-b.business.telecomitalia.it
Jun 6 10:28:08.283: User-Agent: Cisco AnyConnect VPN Agent for Windows 2.2.0133
Jun 6 10:28:08.283: Cookie: webvpn=00@1566900393@00025@3421729574@3982902438@context-sslvpn2
Jun 6 10:28:08.287: X-CSTP-Version: 1
Jun 6 10:28:08.287: X-CSTP-Hostname: telefonicadata
Jun 6 10:28:08.287: X-CSTP-Accept-Encoding: deflate;q=1.0
Jun 6 10:28:08.287: X-CSTP-MTU: 1406
Jun 6 10:28:08.287: X-CSTP-Address-Type: IPv6,IPv4
Jun 6 10:28:08.287: X-DTLS-Master-Secret: 27EA2210E377A9E039E458FA604F523C69BEB2BF8D9B40334F72C9F424B83EE26C6D5D57D0F84419DC7A1139D3F08EE9
Jun 6 10:28:08.287: X-DTLS-CipherSuite: AES256-SHA:AES128-SHA:DES-CBC3-SHA:DES-CBC-SHA
Jun 6 10:28:08.287:
Jun 6 10:28:08.291:
Jun 6 10:28:08.291:
Jun 6 10:28:08.291: WV: Appl. processing Failed : 2
Jun 6 10:28:08.291: WV: server side not ready to send.
SSLVPN sock pid 182 sid 161: closing

IOS SSL VPN

hi all,
i've been trying to setup an SSL VPN on my 1841 lab router but with no luck. i tried both clientless (anyconnect 2.5) and using a vpn client (anyconnect 3.0).
i'm using a win 7 PC with IP 172.16.1.50 directly connected to 1841 FE0/1 port. tried disabling PC FW, used both IE and FF and delete cookes but to no avail. below are my config and some show and debug output. could someone advise if my config is ok and what other steps i should take? thanks in advance!
SSL_VPN_GW#show webvpn gateway
Gateway Name                       Admin Operation
SSL_VPN_GW                         up     up
SSL_VPN_GW#show webvpn context
Codes: AS - Admin Status, OS - Operation Status
       VHost - Virtual Host
Context Name        Gateway Domain/VHost      VRF      AS    OS
SSL_VPN_CONTEXT     SSL_VPN_ -                 -        up    up
SSL_VPN_GW#debug webvpn
WebVPN debugs debugging is on
SSL_VPN_GW#
Jan 27 03:19:56.691: SSLVPN: [Q]Client side Chunk data written..
buffer=0x649035B8 total_len=2033 bytes=2033 tcb=0x642479E8
Jan 27 03:19:56.691: SSLVPN: Client side Chunk data written..
buffer=0x64903598 total_len=1121 bytes=1121 tcb=0x642479E8
Jan 27 03:19:56.691: SSLVPN: sslvpn process rcvd context queue event
SSL_VPN_GW#
Jan 27 03:21:15.711: SSLVPN: sslvpn process rcvd context queue event
Jan 27 03:21:15.715: SSLVPN: sslvpn process rcvd context queue event
SSL_VPN_GW#
Jan 27 03:21:20.775: SSLVPN: sslvpn process rcvd context queue event
Jan 27 03:21:20.779: SSLVPN: Entering APPL with Context: 0x647037A0,
          Data buffer(buffer: 0x649035D8, data: 0xE7201D98, len: 1,
          offset: 0, domain: 0)
Jan 27 03:21:20.779: SSLVPN: Fragmented App data - buffered
Jan 27 03:21:20.779: SSLVPN: Entering APPL with Context: 0x647037A0,
          Data buffer(buffer: 0x64903598, data: 0xE75C0BB8, len: 483,
          offset: 0, domain: 0)
Jan 27 03:21:20.779: SSLVPN: Appl. processing Failed : 2
Jan 27 03:21:20.779: SSLVPN: server side not ready to send.
SSL_VPN_GW#
Jan 27 03:21:50.879: SSLVPN: sslvpn process rcvd context queue event
Jan 27 03:21:50.883: SSLVPN: sslvpn process rcvd context queue event
Jan 27 03:21:50.887: SSLVPN: sslvpn process rcvd context queue event
Jan 27 03:21:50.887: SSLVPN: Entering APPL with Context: 0x647037A0,
          Data buffer(buffer: 0x64903598, data: 0xE75BD6B8, len: 1,
          offset: 0, domain: 0)
Jan 27 03:21:50.887: SSLVPN: Fragmented App data - buffered
Jan 27 03:21:50.887: SSLVPN: Entering APPL with Context: 0x647037A0,
          Data buffer(buffer: 0x649035D8, data: 0xE7203058, len: 483,
          offset: 0, domain: 0)
Jan 27 03:21:50.887: SSLVPN: Appl. processing Failed : 2
SSL_VPN_GW#
Jan 27 03:21:50.887: SSLVPN: server side not ready to send.
SSL_VPN_GW#
Jan 27 03:22:20.367: SSLVPN: sslvpn process rcvd context queue event
Jan 27 03:22:20.367: SSLVPN: sslvpn process rcvd context queue event
SSL_VPN_GW#
Jan 27 03:22:21.791: SSLVPN: sslvpn process rcvd context queue event
Jan 27 03:22:21.795: SSLVPN: sslvpn process rcvd context queue event
Jan 27 03:22:21.799: SSLVPN: sslvpn process rcvd context queue event
Jan 27 03:22:21.799: SSLVPN: Entering APPL with Context: 0x64703988,
          Data buffer(buffer: 0x649035D8, data: 0xE7204718, len: 426,
          offset: 0, domain: 0)
Jan 27 03:22:21.799: SSLVPN: Appl. processing Failed : 2
Jan 27 03:22:21.799: SSLVPN: server side not ready to send.
Jan 27 03:22:22.599: SSLVPN: sslvpn process rcvd context queue event
Jan 27 03:22:22.603: SSLVPN: sslvpn process rcvd context queue event
SSL_VPN_GW#
Jan 27 03:22:23.691: SSLVPN: sslvpn process rcvd context queue event
Jan 27 03:22:23.695: SSLVPN: sslvpn process rcvd context queue event
Jan 27 03:22:23.699: SSLVPN: sslvpn process rcvd context queue event
Jan 27 03:22:23.699: SSLVPN: Entering APPL with Context: 0x64703B70,
          Data buffer(buffer: 0x649035D8, data: 0xE7203058, len: 147,
          offset: 0, domain: 0)
Jan 27 03:22:23.699: SSLVPN: http request: / with no cookie
Jan 27 03:22:23.699: SSLVPN: Client side Chunk data written..
buffer=0x64903598 total_len=196 bytes=196 tcb=0x642DA46C
Jan 27 03:22:23.699: SSLVPN: sslvpn process rcvd context queue event
Jan 27 03:22:23.811: SSLVPN: sslvpn process rcvd context queue event
Jan 27 03:22:23.815: SSLVPN: sslvpn process rcvd context queue event
Jan 27 03:22:23.927: SSLVPN: sslvpn process rcvd context queue event
Jan 27 03:22:23.931: SSLVPN: sslvpn process rcvd context queue event
Jan 27 03:22:23.935: SSLVPN: sslvpn process rcvd context queue event
Jan 27 03:22:23.935: SSLVPN: Entering APPL with Context: 0x64703F40,
          Data buffer(buffer: 0x649035D8, data: 0xE7204A58, len: 200,
          offset: 0, domain: 0)
Jan 27 03:22:23.935: SSLVPN: http request: /webvpn.html with domain cookie
SSL_VPN_GW#
Jan 27 03:22:23.939: SSLVPN: [Q]Client side Chunk data written..
buffer=0x64903598 total_len=2033 bytes=2033 tcb=0x640B5608
Jan 27 03:22:23.939: SSLVPN: Client side Chunk data written..
buffer=0x649035B8 total_len=1121 bytes=1121 tcb=0x640B5608
Jan 27 03:22:23.939: SSLVPN: sslvpn process rcvd context queue event
AnyConnect v3.0.0629
[Sun Jan 27 11:46:15 2013] Contacting 172.16.1.254.
[Sun Jan 27 11:46:38 2013] Connection attempt has failed.
[Sun Jan 27 11:48:52 2013] Contacting 172.16.1.254.
[Sun Jan 27 11:49:06 2013] Connection attempt has failed.
[Sun Jan 27 11:52:16 2013] Network error. Unable to lookup host names.
[Sun Jan 27 11:52:46 2013] Verify your network connection.
[Sun Jan 27 11:52:53 2013] Network error. Unable to lookup host names.
[Sun Jan 27 11:53:23 2013] Verify your network connection.
SSL_VPN_GW#sh run
Building configuration...
Current configuration : 3203 bytes
! Last configuration change at 03:19:18 UTC Sun Jan 27 2013
! NVRAM config last updated at 02:52:22 UTC Sun Jan 27 2013
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname SSL_VPN_GW
boot-start-marker
boot-end-marker
aaa new-model
aaa authentication login SSL_VPN_AUTHENTICATION local
aaa session-id common
resource policy
ip cef
ip name-server 172.16.1.254
crypto pki trustpoint TP-self-signed-514137430
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-514137430
revocation-check none
rsakeypair TP-self-signed-514137430
crypto pki certificate chain TP-self-signed-514137430
certificate self-signed 02
30820240 308201A9 A0030201 02020102 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 35313431 33373433 30301E17 0D313330 31323730 32353232
325A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3531 34313337
34333030 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
BDB083BB AC2D3D47 E76A38C2 3CFE97F6 A70B07B6 3BC9EE89 D261AB83 EE78F03C
E9719CB5 128C16F9 3AD658A5 49B3A220 1170C75C A15A5EA8 4FCBF4E4 42DF67B0
9B78BCDB 29C92794 9C932933 C978BB97 7F7B0B8C 19A37C14 B35B1937 415FA79E
EE9D39B2 AFCF3502 1C8241E2 A6EF9369 AD02BD5F 7556030C 2B7B579F 659F433F
02030100 01A36A30 68300F06 03551D13 0101FF04 05300301 01FF3015 0603551D
11040E30 0C820A53 534C5F56 504E5F47 57301F06 03551D23 04183016 8014FBF5
F3C6F2E1 1CFB888B BE2736A7 5151480C FCEB301D 0603551D 0E041604 14FBF5F3
C6F2E11C FB888BBE 2736A751 51480CFC EB300D06 092A8648 86F70D01 01040500
03818100 B85ECA67 B6302EFA A7E31A65 96836F44 F3AA3336 3580F231 E9C3BA4C
2802EEE8 AADDFA1D BF4BB36A C21FCE3D 0960284E F58AD227 3FA9F1A0 CDF48A28
9C1CE5BC EF3449D0 D3E8CC9C 7EDB7CFE 193477E0 4407E5F8 B7956546 2F4E5D61
5E542E6D 8A242B33 C21C77BF 2BB9E366 E80DD4F0 7937FBC4 51D6E258 13157D13 870097BE
quit
username vpnuser password 0 cisco123
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
interface FastEthernet0/1
ip address 172.16.1.254 255.255.255.0
duplex auto
speed auto
ip local pool SSL_VPN_POOL 192.168.1.10 192.168.1.150
ip http server
ip http secure-server
control-plane
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
scheduler allocate 20000 1000
webvpn gateway SSL_VPN_GW
ip address 172.16.1.254 port 443
http-redirect port 80
ssl encryption 3des-sha1 aes-sha1
ssl trustpoint TP-self-signed-514137430
inservice
webvpn install svc flash:/webvpn/svc.pkg
webvpn context SSL_VPN_CONTEXT
ssl authenticate verify all
policy group SSL_VPN_POLICY
   functions svc-enabled
   banner "Welcom to SSL VPN Lab"
   svc address-pool "SSL_VPN_POOL"
   svc keep-client-installed
default-group-policy SSL_VPN_POLICY
aaa authentication list SSL_VPN_AUTHENTICATION
gateway SSL_VPN_GW
inservice
end

just an update, when i tried a different encryption under the webvpn gateway config it seemed to work (clientless).
i guess my windows 7 machine doesn't like the stronger encryption types.
SSL_VPN_GW(config-webvpn-gateway)#no ssl encryption 3des-sha1 aes-sha1
SSL_VPN_GW(config-webvpn-gateway)#ssl encryption rc4-md5

WCS Ver 6 SSl vulnerability

I am getting an audit result of my Windows based WCS 6 server, the following error must be corrected, and several others are notificaton only at present, but they may be increased in the future:
(Moderate risk)
IETF X.509 Certificate Signature Collision Vulnerability
(Attention)
Web Server Supports Weak SSL Encryption Certificates
TLS/SSL/X.509 Certificate All Fields Enumeration
SSL/TLS X.509 Certificate Server Name Mismatch
Now, I cannot get a signed certificate. (I had to beg to get the money for a cert on the WLC box) If I create a self signed certificate (OpenSSL) will that eliminate the audit points, or is there some other error in the SSL implementation that cannot be changed? I am not an expert at this, so I don't want to screw around with the certificates unless I know it will work without breaking my system.
Thanks,
Gene

Can you please provide your WCS logs with level trace as well as a screnshot of your issue?
Please support CSC Helps Haiti
https://supportforums.cisco.com/docs/DOC-8895
https://supportforums.cisco.com

OSX and iOS bug breaks SSL

This type of massive security lapse by Apple does make me question why I've been going to all the hassle and expense of running an OSX, SSL only, family email server for the last few years.
http://www.crowdstrike.com/blog/details-about-apple-ssl-vulnerability-and-ios-70 6-patch/index.html
http://www.theregister.co.uk/2014/02/21/apple_patches_ios_ssl_vulnerability/
IOS update available but no OSX update yet.
https://support.apple.com/kb/HT6147

Here is a simple shell script that will automate this for you. Copy the conent into a file named wififixer.sh (as an example). The from a terminal window you can run it as:
$ sh wififixer.sh
The code:
#!/bin/sh
# This code is being released to Public Domain.
# THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
# SUCH DAMAGE.
# The purpose of this program script is to find the default gateway
# and continuously ping it every 15 seconds, in order to workaround
# Apple's BUG in their Wifi (AES) framework/driver, where Wifi
# connectivity is lost without continuous packet exchange.
# This BUG has been persistent in iOS 6 onward. It was also introduced
# with release of MacOS Mavericks 10.9.x.
# Reference: https://discussions.apple.com/message/24119041#24119041
# Find out IPv4 default gateway in route table.
gw=`netstat -rnfinet | grep default | awk '{print $2}'`
# If not found in route table, print message and exit.
test -z "${gw}" && echo "No (default) Gateway found." && exit 1
# ping the gateway every 15 seconds
ping -i 15 ${gw}

HeartBleed vulnerability on AnyConnect for iOS

Does anyone have additional information on this vulnerability? This security post: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-heartbleed
Tells us that "Cisco AnyConnect Secure Mobility Client for iOS" is an affected product, but doesn't tell us what versions are at risk.

This build with this fix has been posted to the iTunes store.
AnyConnect for Apple iOS 3.0.09353 is now available for download from the Apple App Store
Resolves CSCuo17488 – AnyConnect for iOS is vulnerable to CVE-2014-0160 – Heartbleed
Download: https://itunes.apple.com/us/app/cisco-anyconnect/id392790924
Release notes: http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect30/release/notes/rn-ac3-0-iOS.html
** Please note the two upgrade instructions pasted below which are applicable to all upgrades of AnyConnect software on Apple iOS
Disconnect AnyConnect connection before upgrading
Please make sure your AnyConnect VPN is disconnected when you upgrade. Otherwise, you may fail to connect after the upgrade with the following error: ”Could not connect to VPN server, Please verify internet connectivity and server address.” This issue can be fixed by a device reboot.
Apple iOS Connect On Demand Considerations
To ensure proper establishment of Connect On Demand VPN tunnels after updating AnyConnect, users must manually start the AnyConnect app and establish a connection. If this is not done, upon the next iOS system attempt to establish a VPN tunnel, the error message "The VPN Connection requires an application to start up" will display.

Newly Occuring CSS SSL Issue in Chrome, FF10, IE9 with L5 rules; 3 second delay, loss of L5 stickyness

We recently started suffering an issue with our CSS11501S-K9 units not performing URL stickiness on our SSL wrapped L5 rules. I've spent dozens of manhours working on the problem, and have quite a bit of information to report, including a solution. There is a high probability that anybody who uses SSL to an L5 rule on a CSS unit will become affected by this problem over the next few weeks/months as users update their browsers with new SSL patches.
We hadn't made any changes to our config in months, and eliminated hardware problems by testing a second unit.
Here are the exact symptoms we saw:
Browsers affected: Firefox 10, Chrome, IE9, others (and some earlier versions of IE depending on patch levels)
Browsers not affected: FireFox 3.5, w3m 0.5.2, curl7.19.7
Impact 1: For SSL Rules backed by L5 rules, the initial response to the first request would be 3 seconds. Further requests on the same TCP connection would not be delayed
Impact 2: L5 rules being accessed via SSL would nolonger perform any URL based stickiness. Accessing the same rule skipping SSL, would work fine
I focused on the 3 second delay, since that was a new issue and was easier to debug than monitoring multiple servers to see if stickiness was broken. This is what I found when a client tries to connect to an SSL rule that ultimately is routed to a L5 HTTP rule:
1. Client/CSS perform initial TLS handshake, crypto cyphers determined (nearly instantly)
2. Client sends HTTP 1.1 request for resource (nearly instantly)
3. 3 seconds of no traffic in our out of the CSS related to this request
4. CSS opens an HTTP connection to backend webserver, backend webserver responds (nearly instantly)
5. The CSS seems to route to the backend server using the balance method (round-robin) instead of the advanced-balance method (url)
6. Response is sent to the client with the resource (nearly instantly)
7. Future requests sent from the browser on the same TCP connection have no delay, but the advanced-balance continues to be ignored
The 3 seconds is quite an exact figure (within a few milliseconds) and appears to be entirely happening inside of the CSS unit itself, since it does not connect to the backend server until after the 3 seconds elapse. 3 seconds smelled like some sort of internal timeout set in the CSS unit after it gives up waiting for something.
Looking at the packets from affected browsers I discovered that the GET /foobar HTTP/1.1 request was being broken into two separate TLSv1 application messages, the first was 24 bytes and the second was 400 bytes. Decrypting these messages I found the first message was a
G
and the second message was:
ET /foobar HTTP/1.1
This essentially splits the initial request the client is sending into two pieces. This confuses wireshark so much, it doesn't decode this as a HTTP request, and just decodes it as "continuation or non-HTTP traffic".
On the working browsers I saw only one TLSv1 application message, decrypting it I saw:
GET /foobar HTTP/1.1
(obviously I'm simplifying the contents of the request, there were lots of headers and stuff)
I am aware that the CSS can't handle L5 rules appropriately if they get fragmented, so I suspected this was the problem. I pulled a packet trace from a few years ago, and at that time confirmed we never saw a double TLSv1 application messages before.
A number of openssl vulnerabilities were recently fixed: http://www.ubuntu.com/usn/usn-1357-1
and browsers may have been recently updated to fix some of these issues, changing the way they encode their traffic.
Solution:
Our ssl config looked something like this:
ssl-proxy-list SSL_ACCEL
ssl-server 10 vip address XX.XX.XX.XX
ssl-server 10 rsakey XXXX
ssl-server 10 cipher rsa-with-3des-ede-cbc-sha XX.XX.XX.XX 80
ssl-server 10 cipher rsa-with-rc4-128-sha XX.XX.XX.XX 80
ssl-server 10 cipher rsa-with-rc4-128-md5 XX.XX.XX.XX 80
ssl-server 10 unclean-shutdown
ssl-server 10 rsacert XXXXXX
Removing:
ssl-server 10 cipher rsa-with-3des-ede-cbc-sha XX.XX.XX.XX 80
Solves the problem. After that's removed, the browsers will nolonger fragment the first character of their request into a separate TLSv1 message. The 3 second delay goes away, and L5 stickiness is fixed. The "CBC" in the cyper refers to Cypher-Block-Chaining (a great article here:
http://en.wikipedia.org/wiki/Cipher-block_chaining), and breaking the payload into multiple packages may have been an attempt to initialize the IV for encryption -- although I'm really just guessing, I stopped researching once I verified this solution was acceptable.
This issue became serious enough for us to notice first on Monday Feb 13th 2012. We believe a number of our large customers distributed workstation updates over the weekend. The customers affected were using IE7, although my personal IE7 test workstation did not appear to be affected. It's quite possible our customers were going through an SSL proxy. I suspect as more people upgrade their browsers, this will become a more serious issue for CSS users, and I hope this saves somebody a huge headache and problems with their production environment.
-Joe

Hi Joe,
That's a very good analysis you did.
As you already suspected, the issue comes from the TLS record fragmentation feature that was introduced in the latest browser versions to overcome a SSL vulnerability (http://www.kb.cert.org/vuls/id/864643). Unfortunately, similar issues are happening with multiple products.
For CSS, the bug tracking this issue is CSCtx68270. The development team is actively working on a fix for it, which should be available (in an interim software release, so to get it you wil have to go through TAC) in the next couple of weeks
In the meantime, as workaround, you can configure the CSS to use only RC4 cyphers (which is what you were suggesting also). These are not affected by the vulnerability, so, browsers don't apply the record fragmentation when they are in use. This workaround has been tested by several customers already, and the results seem to be very positive.
Regards
Daniel

JTDS not connecting with SQL Server 2008 R2 SP2 + SSL with Java 6 U34-35

Environment:
Windows 7 Pro 32-bit
SQL Server 2008 R2 SP2 (Forced Encryption = Yes, No Certificate provided to server)
Java 6 Update 27-35 and Java 7 Update 2-7
jTDS 1.2.2 and 1.2.6
Under the following setup, our Java application is able to connect to the SQL Server database:
- SQL Server 2008 R2 SP2
- Java 6 Update 27-33 or Java 7 Update 2-5
just switching the JVM to the following would cause the application to be unable to connect to the database:
- Java 6 Update 34 or 35, or Java 7 Update 6 or 7
Browsing through the Java 6 Update 34 release notes, it looks like nothing big was changed, so I'm wondering what has changed with Java 6 U34 and Java 7 U6. I was also looking through a packet sniffer, and indeed the behavior of Java 6 Update 33 and lower was different from Java 6 Update 34 (although I couldn't understand the messages being passed, the number of connections and messages were different).
* This is different from the issue with Java 6 Update 29-30 and Java 7 wherein they were patched for the BEAST SSL vulnerability. That was fixed with the SP2 patch for SQL Server 2008 R2, and for SQL Server 2008 you'd need a hotfix aside from SP3. After patching the server with those updates, Java 6 Update 29-33 and Java 7 U1-5 should be able to connect to the database.
* If I do switch off Force Encryption, all Java versions are able to connect to the database.
Edited by: user1357749 on Oct 12, 2012 1:20 AM

Hi,
It's four months later, but my colleague and I have reproduced the same behavior in both our commercial product, and a very simple example class. It's exactly as you describe it, where the latest versions of both Java 6 and 7 (and several previous versions) hang during the first jTDS SQL query to the DB (immediately after the SSL and handshake). It also happens with the Microsoft JDBC driver.
If you disable the BEAST SSL fix (-Djsse.enableCBCProtection=false), then the connections work without any problems. So, while this is different from the original BEAST SSL problem and subsequent fix, it really seems like some additional changes were made to the fix in a later Java release that broke things.
My colleague has filed a bug with Oracle, and is awaiting a response. We also filed a bug at the jTDS project (#690 - http://sourceforge.net/p/jtds/bugs/690/) that has simple reproduction steps. A contributer at the jTDS project agrees that this seems to be a problem with the JRE, and is not specific to jTDS.
I hope that Oracle will address this issue soon. We need to periodically update the JRE due to vulnerabilities, and we need to have SSL for our JDBC connections for security reasons. This bug puts us and others in a difficult position.

Advice on what IOS should i upgrade 4503

Hi everyone,
We have 4503 with current version Version 12.2(25)EWA10,.
As per link below cisco says current ios is vulnerable.
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20090908-tcp24
They did not provide to what IOS should i upgrade this switch to?
Can one tell me whats the recommended IOS to fix the above bug?
Regards
Mahesh

Hi Mahesh,
For Sup II+ the latest 12.2 version on CCO is:
12.2.31-SGA11
cat4500-ipbase-mz.122-31.SGA11.bin
There is also IOS 15,
cat4500-ipbase-mz.150-2.SG7.bin
but maybe bugy. I would stay with 12.2xx for now.
for both images you need 64Mb flash and 256Mb memory.
http://software.cisco.com/download/release.html?mdfid=278299256&flowid=3489&softwareid=280805680&release=15.0.2-SG7&relind=AVAILABLE&rellifecycle=ED&reltype=latest
HTH
Reza

#Goto Fail vulnerability - flash O-day

I have a newbie question, because I think I may have been pwned as a consequence of the "goto fail" SSL vulnerability still in effect in Mavericks OS X. Here's the discussion on Twitter where Nicholas Weaver and the grugq note how simple the exploit would be. Has anyone else experienced a closed, sleeping computer playing a few notes of a mariachi tune? Expert comments would be most welcome, since I really don't know what I'm dealing with here.
Thanks.

I admit it is strange. That would mean that your computer was on with the lid closed.
Could it have been the standard "Installation Complete" gingle ? You know the one where you install an app and it finishes and when it says complete it makes that little song noise ?
The good thing is OSX logs EVERYTHING!
If the machine did wake up it is logged. Go to about this mac then more info then the system report button.
now scroll down under where it says Software. Look for "Logs" once that loads lick on "Power Management Logs" This will tell you everytime your computer has gone to sleep or woke up.

IOS SSL Vulnerability

Similar Messages

Maybe you are looking for