Mitigting SSL v3 POODLE Vulnerability (CVE-2014-3566)
Hi all,
Another day, another vulnerability. Feel like we are swimming against the tide.
Now, SSL v3 has been shown to be vulnerable (looks like a protocol issue, not an implementation issue, so patches are doubtful) and so I am looking at what we can do to mitigate this. Clients (such as IE, Firefox and Chrome (sort of)) can be set to disable SSL v3, but rolling this out across an Enterprise might not be that easy.
In IIS (that would be running TMS) you can switch off SSL v3 via a reg edit, but are there any knock on effect? What about the web services built into CODECs, MCUs and other infrastructure devices - can SSL v3 be switched off?
Look forward to the responses.
Cheers
Chris
Hi All,
This tidbit is not Cisco orientated per se, but some of you might find it useful (if you haven't found the info yourselves already (it's what I sent around to my team here):
There are many things you can do to mitigate this vulnerability, as you can also disable SSL3 in various clients (although this might affect communication with legacy systems)
Firefox – Version 34 (due for release at the end of November) will disable SSL v3 by default, but they have released a plug in that can disable this immediately. See https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/
IE – You can turn off SSL 3 from the Settings -->Internet Options --> Advanced --> Security, section however, if you find that the options to check SSL/TLS are greyed out (as they are on my machine), this maybe a hang over from previous security software installation.
However, I will override this using GPO so domain joined PCs will have this setting updated. The GPO applied to the domain is:
Computer Setting --> Administrative Templates --> Windows Components --> Internet Explorer --> Internet Control Panel --> Advanced Page --> Turn Off Encryption Support = TLS 1.0, TLS 1.1, and TLS 1.2 ONLY
Chrome – This is a little more difficult. It seem you can only do this at this moment in time by adding a switch to the start-up command (you can modify the shortcut on either Windows or Mac). Check out https://zmap.io/sslv3/browsers.html
Similar Messages
-
CSCur27617: AnyConnect vulnerable to POODLE attack (CVE-2014-3566) Win/Mac/Linux
I wanted to know if the AnyConnect Secure Mobility Client would still be vulnerable to this if it was only connecting via SSL VPN (TLS) to an ASA that already has the workaround implemented on it (Disable SSLv3)?
Thanks,
Rob MieleHi Rob ,
According to the bug:
All versions of desktop AnyConnect for Mac OS X and Linux prior to 3.1.00495 are vulnerable , so Anyconnect 3.1.06.073 is safe from POODLE vulnerability
On the Anyconnect you can disable the SSL using Ikev2 instead of the SSL protocols , however as the bug mention , the client creates a paralel ssl tunnel to get updates and profile from the router.
If you're asking to disable SSLv3 on the router , unfortunately there is not code yet , the workaround is to disable the webvpn or upgrade the VPN client.
As well here is the officil advisory for the POODLE vulnerbility on Cisco Products.
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141015-poodle
Hope it helps
- Randy - -
OpenSSL vulnerability CVE-2014-0224
My customer want to know whether ASE is affected by the following OpenSSL vulnerability in http://www.openssl.org/news/secadv_20140605.txt
SSL/TLS MITM vulnerability (CVE-2014-0224),
DTLS recursion flaw (CVE-2014-0221)
DTLS invalid fragment vulnerability (CVE-2014-0195)
SSL_MODE_RELEASE_BUFFERS NULL pointer dereference (CVE-2014-0198)
SSL_MODE_RELEASE_BUFFERS session injection or denial of service (CVE-2010-5298)
Anonymous ECDH denial of service (CVE-2014-3470)
Can you help me to confirm the above question?You have clearly double posted this question in two groups.
So the first question goes back to you.
Are you Running SAP Applications on ASE, if so this is not the proper group? -
Is patch available for CVE-2014-3566?
Is patch available for CVE-2014-3566?
Update your OS X to the latest version plus any security updates.
Pete -
Cisco is aware of the reported vulnerability and is currently investigating this report. Cisco is evaluating products to determine their exposure to this vulnerability.
Cisco has issued an official PSIRT notice for the SSL Padding Oracle On Downgraded Legacy Encryption (POODLE) Vulnerability
Please refer to the following information, as provided from our Product Security Incident Response Team (PSIRT):
SSL Padding Oracle On Downgraded Legacy Encryption (POODLE) Vulnerability
Complete information about reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco is available on Cisco.com at:
http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
This web page includes instructions for press inquiries regarding Cisco Security Advisories. All Cisco Security Advisories are available at:
http://www.cisco.com/go/psirtQuick-link to the PSIRT verified Email Security (ESA) vulnerability information as well as workaround:-
https://tools.cisco.com/bugsearch/bug/CSCur27131 -
Schannel and TLS 1.x padding vulnerability (CVE-2014-8730)
Hi all,
Is the implementation of TLS by Microsoft Secure Channel (Schannel) (http://msdn.microsoft.com/en-us/library/windows/desktop/aa380123%28v=vs.85%29.aspx) affected by "CVE-2014-8730 TLS 1.x padding vulnerability"?
Please see the following links for more details about this vulnerability:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8730
https://community.qualys.com/blogs/securitylabs/2014/12/08/poodle-bites-tls
Is there a confirmation from Microsoft that Schannel is not affected by this vulnerability?
Regards,
SanjayNo, Microsoft SChannell is not affected.Only F5 products are affected:
http://www.securityfocus.com/bid/71549
Vadims Podāns, aka PowerShell CryptoGuy
My weblog: en-us.sysadmins.lv
PowerShell PKI Module: pspki.codeplex.com
PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
Check out new: SSL Certificate Verifier
Check out new:
PowerShell File Checksum Integrity Verifier tool.
i know some Windows 2008 System which are affected?! Why? -
CSCuq79267 - UCS Apache 2.2 Vulnerability CVE-2014-0118
I too am seeing this same behavior. Nessus has found this, and 3 other, vulnerabilities with the Apache version provided by the UCS platform.
Any fixes in the works? We are currently running firmware 2.2(3c). The release notes for 2.2(3d) and 2.2(3e) do not address CVE-2014-0118.
EDIT:
2.2(3f) also does not address these vulnerabilities. Does the UCS version of Apache use the modules that are found faulty according to Nessus?
Nessus is also reporting the following CVEs related to this one: CVE-2013-6438, CVE-2014-0098, CVE-2013-5704, CVE-2014-0226, and CVE-2014-0231.Hi,
Please refer this links,
Linux GHOST vulnerability (CVE-2015-0235) is not as scary as it looks | Symantec Connect
https://rhn.redhat.com/errata/RHSA-2015-0090.html
Regards,
S27 -
Hi ,
Nexus 7000 evaluation for CVE-2014-6271 and CVE-2014-7169 , I am referring below link to check for NX OS - n7000-s1-dk9.5.1.3.bin
https://tools.cisco.com/bugsearch/bug/CSCur04856
5.1.3 is not mentioned in the affected list.Need help to know if 5.1 is affected with BASH Vulnerability .
Thanks for help in advance .The concern with the bash shell is that services MAY be setup to run as
users which use those shells, and therefore be able to have things
injected into those shells. Nothing on NetWare uses bash by default,
because NetWare is not anything like Linux/Unix in its use of shells.
Sure, you can load bash for fun and profit on NetWare, but unless you
explicitly request it the bash.nlm file is never used. On NetWare I do
not think it is even possible to have any normal non-Bash environment
variable somehow be exported/inherited into a bash shell, though I've
never tried.
Good luck.
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below... -
Bash patch did not fix vulnerability CVE-2014-7169, please fix
The latest patch for Bash bug that I just installed for Mavericks took care of the CVE-2014-6172 vulnerability though from my testing CVE-2014-7169 is still vulnerable. Please fix all Bash vulnerabilities soon.
Apple is on record as saying:
The vast majority of OS X users are not at risk to recently reported bash vulnerabilities," an Apple spokesperson told iMore. "Bash, a UNIX command shell and language included in OS X, has a weakness that could allow unauthorized users to remotely gain control of vulnerable systems. With OS X, systems are safe by default and not exposed to remote exploits of bash unless users configure advanced UNIX services.
You do not appear to be running any of these advanced UNIX services, so can you tell us exactly what your concern is?
Also, my testing shows that CVE-2014-7169 is fixed by using this test:
env X='() { (a)=>\' sh -c "echo date"; cat echo; rm ./echo
Did you forget to delete the file "echo" from your home folder by any chance? -
CSCur27617 - AnyConnect vulnerable to POODLE attack and40;CVE-2014-3566
Hello to all
In CSCur27617 ist stated:
Known Affected Releases:(1)3.1(5178)
We are currently deploying 3.0.4235-k9
Since this Vulnerability uses the SSL channel paralell to IPSec,
I expect that 3.0.4235-k9 ist affected also.
Ist this correct?
Thanks ErnieFirmware 1.05.36 of MyCloud Mirror fixed that: http://community.wd.com/t5/WD-My-Cloud-Mirror/New-Release-My-Cloud-Mirror-Firmware-Release-1-05-36-7-8-2015/td-p/886778
-
IOS 7.06 SSL vulnerability CVE 2014-1266
Apple begins to fix the problems with SSL validation that can lead to MITM attacks. If they choose to move a step further they can also validate a DN which corresponds to a Directory entry and enable another layer of security. If certificates are going to be used for business and medical uses a failure to authenticate critical parts of the certificate detailed in RFC-5280 will lead to economic losses and potential medical errors.
What is your question for us, your fellow users, in these user to user support forums?
-
BUG #CSCur27131 - Evaluation of CVE-2014-3566 on Cisco Email Security Appliance
I have raised a support case with TAC to try and get more information on the preferred config as well as what Ciphers then become available. Points raised in the support case are as follows:
Current config based from existing artilce pre-POODLE > MEDIUM:HIGH:-SSLv2:-aNULL:@STRENGTH
Should the new config be > MEDIUM:HIGH:-SSLv2:-SSLv3:-aNULL:@STRENGTH
Use of strength meaning that the Ciphers are ordered and presented strongest to weakest as negotiation should occur at the first mutually accepted cipher.
What are the TLSv1 Ciphers used by Ironport (verify under sslconfig CLI appears only to list SSL ciphers)
Finally, does the Ironport support or plan to support in the future TLSv1.1 and TLSv1.2 ciphers?
Response from TAC so far is the same as the referenced article - https://tools.cisco.com/bugsearch/bug/CSCur27131 which doesn't address all my points
PaulNegating SSLv2 and SSLv3 in the cipher suite has no effect as long as only enabled TLSv1 is enabled.
And reordering ciphers by strength won't bring anything since the client's ciphers order will always be preferred.
Also, MD5 should be disabled as it's widely considered too weak for the job.
My recommendation would be to use the following suite > HIGH:MEDIUM:!aNULL:!MD5 -
DNS vulnerability - CVE-2014-8500
Hello,
I have an mavericks server. where DNS service is active.
Have you got a patch for this security vulnerability (does not limit delegation chaining, which allows remote attackers to cause a denial of service) ?
Thanks
GillesYou can do nothing, or you can configure BIND to relay queries for external hosts to another server instead of resolving them recursively.
-
Windows Server 2008 CVE-2014-8730 vulnerability
We've received our monthly vulnerability scan results on our production servers running Windows Server 2008 R2.
They are showing vulnerability to TSL POODLE, which is the subject of CVE-2014-8730.
In this article on Qualys, there is mention that Windows Server 2008 is vulnerable but Microsoft have not taken any action yet:
https://community.qualys.com/blogs/securitylabs/2014/12/08/poodle-bites-tls
Microsoft - We've seen reports that some older platforms (e.g., Windows 2008) appear vulnerable, but no apparent patterns or reliable information so far.
Is there any update on this issue as it's an exploitable vulnerability we would like to remediate.
Thanks,
Lyndon.Hi Vivian,
The article cited is about a different issue.
In October 2014 there was an SSL v3 POODLE vulnerability, we have resolved this issue by disabling SSL v3 (as recommended).
The article your posted specifically references that issue (the article was published in October 2014).
In December 2014 there was another POODLE vulnerability announced that affected the TLS protocol.
A lot of major vendors have published patches for this issue, but Microsoft are yet do do so (as far as I know).
Hence by original question that has not been answered yet.
Regards,
Lyndon. -
[CVE-2014-6271] IronPort appliances affected by recent bash vulnerability?
http://threatpost.com/major-bash-vulnerability-affects-linux-unix-mac-os-x
Discussion?Cisco has issued an official PSIRT notice for the GNU Bash Environmental Variable Command Injection Vulnerability (CVE-2014-6271), please refer all inquiries to:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash
Please refer to the expanded "Affected Products".
The following Cisco products are currently under investigation:
Cable Modems
Cisco CWMS
Network Application, Service, and Acceleration
Cisco ACE GSS 4400 Series Global Site Selector
Cisco ASA
Cisco GSS 4492R Global Site Selector
Network and Content Security Devices
Cisco IronPort Encryption Appliance
Cisco Ironport WSA
Routing and Switching - Enterprise and Service Provider
Cisco ACE Application Control Engine Module for the Cisco Catalyst 6500
Cisco ISM
Cisco NCS6000
Voice and Unified Communications Devices
Cisco Finesse
Cisco MediaSense
Cisco SocialMiner
Cisco Unified Contact Center Express (UCCX)
Products and services listed in the subsections below have had their exposure to this vulnerability confirmed. Additional products will be added to these sections as the investigation continues.
Maybe you are looking for
-
Radio button to determine what text is put into the body of an email
Hi all, I need some help with a radio button and java scripting. This is the code I'm using on a button with a mouse up event using Java script run at the client var oSubmit = this.resolveNode("$..#submit"); var cToAddr = "[email protected]"; var cCC
-
Where to upload images for use on my page?
Hi, Where should I upload my images so I can use them in a HTML portlet? CU Jerome null
-
PS is crashing whilst printing - how to save prefs
How do I export and import preferences? I need to trash them often because PS is crashing when I try and print. Suport only gave me this instruction and couldn;t figure out a solution - just trash my prefs. John
-
PO Output message types for different document types
Hi, I wanted the system automatically generate the messages whenever a PO is created for different document types like NB,UB,Blanketorder, Pilot run. These are the steps i did...plz advice any more steps to make this work 1. the output type I am usin
-
Hey there I have a problem with my formula Node. I want to recieve a pictue from my camera and generate a 2d-array of the greyscalevalues. That works so far. Now i recieve an array with values between 0 and 4096 (because I have a 12-Bit picture). Now