Mitigting SSL v3 POODLE Vulnerability (CVE-2014-3566)

Hi all,
Another day, another vulnerability. Feel like we are swimming against the tide.
Now, SSL v3 has been shown to be vulnerable (looks like a protocol issue, not an implementation issue, so patches are doubtful) and so I am looking at what we can do to mitigate this. Clients (such as IE, Firefox and Chrome (sort of)) can be set to disable SSL v3, but rolling this out across an Enterprise might not be that easy.
In IIS (that would be running TMS) you can switch off SSL v3 via a reg edit, but are there any knock on effect? What about the web services built into CODECs, MCUs and other infrastructure devices - can SSL v3 be switched off?
Look forward to the responses.
Cheers
Chris

Hi All,
This tidbit is not Cisco orientated per se, but some of you might find it useful (if you haven't found the info yourselves already (it's what I sent around to my team here):
There are many things you can do to mitigate this vulnerability, as you can also disable SSL3 in various clients (although this might affect communication with legacy systems)
Firefox – Version 34 (due for release at the end of November) will disable SSL v3 by default, but they have released a plug in that can disable this immediately. See https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/
IE – You can turn off SSL 3 from the Settings -->Internet Options --> Advanced --> Security, section however, if you find that the options to check SSL/TLS are greyed out (as they are on my machine), this maybe a hang over from previous security software installation.
However, I will override this using GPO so domain joined PCs will have this setting updated. The GPO applied to the domain is:
Computer Setting --> Administrative Templates --> Windows Components --> Internet Explorer --> Internet Control Panel --> Advanced Page --> Turn Off Encryption Support = TLS 1.0, TLS 1.1, and TLS 1.2 ONLY
Chrome – This is a little more difficult. It seem you can only do this at this moment in time by adding a switch to the start-up command (you can modify the shortcut on either Windows or Mac). Check out https://zmap.io/sslv3/browsers.html

Similar Messages

  • CSCur27617: AnyConnect vulnerable to POODLE attack (CVE-2014-3566) Win/Mac/Linux Question

    CSCur27617: AnyConnect vulnerable to POODLE attack (CVE-2014-3566) Win/Mac/Linux
    I wanted to know if the AnyConnect Secure Mobility Client would still be vulnerable to this if it was only connecting via SSL VPN (TLS) to an ASA that already has the workaround implemented on it (Disable SSLv3)?
    Thanks,
    Rob Miele

    Hi Rob , 
    According to the bug: 
    All versions of desktop AnyConnect for Mac OS X and Linux prior to 3.1.00495 are vulnerable , so Anyconnect 3.1.06.073 is safe from POODLE vulnerability 
    On the Anyconnect you can disable the SSL using Ikev2 instead of the SSL protocols , however as the bug mention , the client creates a paralel ssl tunnel to get updates and profile from the router.
    If you're asking to disable SSLv3 on the router , unfortunately there is not code yet , the workaround is to disable the webvpn or upgrade the VPN client.
    As well here is the officil advisory for the POODLE vulnerbility on Cisco Products.
    http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141015-poodle
    Hope it helps
    - Randy - 

  • OpenSSL vulnerability CVE-2014-0224

    My customer want to know whether ASE is affected by the following OpenSSL vulnerability in http://www.openssl.org/news/secadv_20140605.txt
          SSL/TLS MITM vulnerability (CVE-2014-0224),
          DTLS recursion flaw (CVE-2014-0221)
          DTLS invalid fragment vulnerability (CVE-2014-0195)
          SSL_MODE_RELEASE_BUFFERS NULL pointer dereference (CVE-2014-0198)
          SSL_MODE_RELEASE_BUFFERS session injection or denial of service (CVE-2010-5298)
          Anonymous ECDH denial of service (CVE-2014-3470)
    Can you help me to confirm the above question?

    You have clearly double posted this question in two groups.
    So the first question goes back to you.
    Are you Running SAP Applications on ASE, if so this is not the proper group?

  • Is patch available for CVE-2014-3566?

    Is patch available for CVE-2014-3566?

    Update your OS X to the latest version plus any security updates.
    Pete

  • [CVE-2014-3566] SSL Padding Oracle On Downgraded Legacy Encryption (POODLE) Vulnerability

    Cisco is aware of the reported vulnerability and is currently investigating this report.  Cisco is evaluating products to determine their exposure to this vulnerability.
    Cisco has issued an official PSIRT notice for the SSL Padding Oracle On Downgraded Legacy Encryption (POODLE) Vulnerability
    Please refer to the following information, as provided from our Product Security Incident Response Team (PSIRT):
    SSL Padding Oracle On Downgraded Legacy Encryption (POODLE) Vulnerability
    Complete information about reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco is available on Cisco.com at:
    http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html 
    This web page includes instructions for press inquiries regarding Cisco Security Advisories. All Cisco Security Advisories are available at:
    http://www.cisco.com/go/psirt

    Quick-link to the PSIRT verified Email Security (ESA) vulnerability information as well as workaround:-
    https://tools.cisco.com/bugsearch/bug/CSCur27131

  • Schannel and TLS 1.x padding vulnerability (CVE-2014-8730)

    Hi all,
    Is the implementation of TLS by Microsoft Secure Channel (Schannel) (http://msdn.microsoft.com/en-us/library/windows/desktop/aa380123%28v=vs.85%29.aspx) affected by "CVE-2014-8730 TLS 1.x padding vulnerability"?
    Please see the following links for more details about this vulnerability:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8730
    https://community.qualys.com/blogs/securitylabs/2014/12/08/poodle-bites-tls
    Is there a confirmation from Microsoft that Schannel is not affected by this vulnerability?
    Regards,
    Sanjay

    No, Microsoft SChannell is not affected.Only F5 products are affected:
    http://www.securityfocus.com/bid/71549
    Vadims Podāns, aka PowerShell CryptoGuy
    My weblog: en-us.sysadmins.lv
    PowerShell PKI Module: pspki.codeplex.com
    PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
    Check out new: SSL Certificate Verifier
    Check out new:
    PowerShell File Checksum Integrity Verifier tool.
    i know some Windows 2008 System which are affected?! Why?

  • CSCuq79267 - UCS Apache 2.2 Vulnerability CVE-2014-0118

    I too am seeing this same behavior. Nessus has found this, and 3 other, vulnerabilities with the Apache version provided by the UCS platform.
    Any fixes in the works? We are currently running firmware 2.2(3c). The release notes for 2.2(3d) and 2.2(3e) do not address CVE-2014-0118.
    EDIT:
    2.2(3f) also does not address these vulnerabilities. Does the UCS version of Apache use the modules that are found faulty according to Nessus?
    Nessus is also reporting the following CVEs related to this one: CVE-2013-6438, CVE-2014-0098, CVE-2013-5704, CVE-2014-0226, and CVE-2014-0231.

    Hi,
    Please refer this links,
    Linux GHOST vulnerability (CVE-2015-0235) is not as scary as it looks | Symantec Connect
    https://rhn.redhat.com/errata/RHSA-2015-0090.html
    Regards,
    S27

  • NX-OS ( n7000-s1-dk9.5.1.3.bin ) BASH VULNERABILITY - CVE-2014-6271 and CVE-2014-7169

    Hi ,
    Nexus 7000 evaluation for CVE-2014-6271 and CVE-2014-7169 , I am referring below link to check for NX OS  - n7000-s1-dk9.5.1.3.bin
    https://tools.cisco.com/bugsearch/bug/CSCur04856
    5.1.3 is not mentioned in the affected list.Need help to know if 5.1 is affected with BASH Vulnerability .
    Thanks for help in advance .

    The concern with the bash shell is that services MAY be setup to run as
    users which use those shells, and therefore be able to have things
    injected into those shells. Nothing on NetWare uses bash by default,
    because NetWare is not anything like Linux/Unix in its use of shells.
    Sure, you can load bash for fun and profit on NetWare, but unless you
    explicitly request it the bash.nlm file is never used. On NetWare I do
    not think it is even possible to have any normal non-Bash environment
    variable somehow be exported/inherited into a bash shell, though I've
    never tried.
    Good luck.
    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below...

  • Bash patch did not fix vulnerability CVE-2014-7169, please fix

    The latest patch for Bash bug that I just installed for Mavericks took care of the CVE-2014-6172 vulnerability though from my testing CVE-2014-7169 is still vulnerable.  Please fix all Bash vulnerabilities soon.

    Apple is on record as saying:
    The vast majority of OS X users are not at risk to recently reported bash vulnerabilities," an Apple spokesperson told iMore. "Bash, a UNIX command shell and language included in OS X, has a weakness that could allow unauthorized users to remotely gain control of vulnerable systems. With OS X, systems are safe by default and not exposed to remote exploits of bash unless users configure advanced UNIX services.
    You do not appear to be running any of these advanced UNIX services, so can you tell us exactly what your concern is?
    Also, my testing shows that CVE-2014-7169 is fixed by using this test:
    env X='() { (a)=>\' sh -c "echo date"; cat echo; rm ./echo
    Did you forget to delete the file "echo" from your home folder by any chance?

  • CSCur27617 - AnyConnect vulnerable to POODLE attack and40;CVE-2014-3566

    Hello to all
    In CSCur27617 ist stated:
    Known Affected Releases:(1)3.1(5178)
    We are currently deploying 3.0.4235-k9
    Since this Vulnerability uses the SSL channel paralell to IPSec,
    I expect that 3.0.4235-k9 ist affected also.
    Ist this correct?
    Thanks Ernie

    Firmware 1.05.36 of MyCloud Mirror fixed that: http://community.wd.com/t5/WD-My-Cloud-Mirror/New-Release-My-Cloud-Mirror-Firmware-Release-1-05-36-7-8-2015/td-p/886778

  • IOS 7.06 SSL vulnerability CVE 2014-1266

    Apple begins to fix the problems with SSL validation that can lead to MITM attacks. If they choose to move a step further they can also validate a DN which corresponds to a Directory entry and enable another layer of security.  If certificates are going to be used for business and medical uses a failure to authenticate critical parts of the certificate detailed in RFC-5280 will lead to economic losses and potential medical errors.

    What is your question for us, your fellow users, in these user to user support forums?

  • BUG #CSCur27131 - Evaluation of CVE-2014-3566 on Cisco Email Security Appliance

    I have raised a support case with TAC to try and get more information on the preferred config as well as what Ciphers then become available. Points raised in the support case are as follows:
    Current config based from existing artilce pre-POODLE > MEDIUM:HIGH:-SSLv2:-aNULL:@STRENGTH
    Should the new config be > MEDIUM:HIGH:-SSLv2:-SSLv3:-aNULL:@STRENGTH
    Use of strength meaning that the Ciphers are ordered and presented strongest to weakest as negotiation should occur at the first mutually accepted cipher.
    What are the TLSv1 Ciphers used by Ironport (verify under sslconfig CLI appears only to list SSL ciphers)
    Finally, does the Ironport support or plan to support in the future TLSv1.1 and TLSv1.2 ciphers?
    Response from TAC so far is the same as the referenced article - https://tools.cisco.com/bugsearch/bug/CSCur27131 which doesn't address all my points
    Paul

    Negating SSLv2 and SSLv3 in the cipher suite has no effect as long as only enabled TLSv1 is enabled.
    And reordering ciphers by strength won't bring anything since the client's ciphers order will always be preferred.
    Also, MD5 should be disabled as it's widely considered too weak for the job.
    My recommendation would be to use the following suite > HIGH:MEDIUM:!aNULL:!MD5

  • DNS vulnerability - CVE-2014-8500

    Hello,
    I have an mavericks server. where DNS service is active.
    Have you got a patch for this security vulnerability (does not limit delegation chaining, which allows remote attackers to cause a denial of service) ?
    Thanks
    Gilles

    You can do nothing, or you can configure BIND to relay queries for external hosts to another server instead of resolving them recursively.

  • Windows Server 2008 CVE-2014-8730 vulnerability

    We've received our monthly vulnerability scan results on our production servers running Windows Server 2008 R2.
    They are showing vulnerability to TSL POODLE, which is the subject of CVE-2014-8730.
    In this article on Qualys, there is mention that Windows Server 2008 is vulnerable but Microsoft have not taken any action yet:
    https://community.qualys.com/blogs/securitylabs/2014/12/08/poodle-bites-tls
    Microsoft - We've seen reports that some older platforms (e.g., Windows 2008) appear vulnerable, but no apparent patterns or reliable information so far.
    Is there any update on this issue as it's an exploitable vulnerability we would like to remediate.
    Thanks,
    Lyndon.

    Hi Vivian,
    The article cited is about a different issue.
    In October 2014 there was an SSL v3 POODLE vulnerability, we have resolved this issue by disabling SSL v3 (as recommended).
    The article your posted specifically references that issue (the article was published in October 2014).
    In December 2014 there was another POODLE vulnerability announced that affected the TLS protocol.
    A lot of major vendors have published patches for this issue, but Microsoft are yet do do so (as far as I know).
    Hence by original question that has not been answered yet.
    Regards,
    Lyndon.

  • [CVE-2014-6271] IronPort appliances affected by recent bash vulnerability?

    http://threatpost.com/major-bash-vulnerability-affects-linux-unix-mac-os-x
    Discussion?

    Cisco has issued an official PSIRT notice for the GNU Bash Environmental Variable Command Injection Vulnerability (CVE-2014-6271), please refer all inquiries to:
    http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash
    Please refer to the expanded "Affected Products".
    The following Cisco products are currently under investigation:
    Cable Modems
    Cisco CWMS
    Network Application, Service, and Acceleration
    Cisco ACE GSS 4400 Series Global Site Selector
    Cisco ASA
    Cisco GSS 4492R Global Site Selector
    Network and Content Security Devices
    Cisco IronPort Encryption Appliance
    Cisco Ironport WSA
    Routing and Switching - Enterprise and Service Provider
    Cisco ACE Application Control Engine Module for the Cisco Catalyst 6500
    Cisco ISM
    Cisco NCS6000
    Voice and Unified Communications Devices
    Cisco Finesse
    Cisco MediaSense
    Cisco SocialMiner
    Cisco Unified Contact Center Express (UCCX)
    Products and services listed in the subsections below have had their exposure to this vulnerability confirmed. Additional products will be added to these sections as the investigation continues.

Maybe you are looking for

  • Radio button to determine what text is put into the body of an email

    Hi all, I need some help with a radio button and java scripting. This is the code I'm using on a button with a mouse up event using Java script run at the client var oSubmit = this.resolveNode("$..#submit"); var cToAddr = "[email protected]"; var cCC

  • Where to upload images for use on my page?

    Hi, Where should I upload my images so I can use them in a HTML portlet? CU Jerome null

  • PS is crashing whilst printing - how to save prefs

    How do I export and import preferences? I need to trash them often because PS is crashing when I try and print. Suport only gave me this instruction and couldn;t figure out a solution - just trash my prefs. John

  • PO Output message types for different document types

    Hi, I wanted the system automatically generate the messages whenever a PO is created for different document types like NB,UB,Blanketorder, Pilot run. These are the steps i did...plz advice any more steps to make this work 1. the output type I am usin

  • Formula node to 2d array

    Hey there I have a problem with my formula Node. I want to recieve a pictue from my camera and generate a 2d-array of the greyscalevalues. That works so far. Now i recieve an array with values between 0 and 4096 (because I have a 12-Bit picture). Now