RRAS, SSTP and POODLE Vulnerability

Similar Messages

• POODLE Vulnerability and AMS configuration in Adapator.xml

  Hi,
  I am looking for some recommendation and guidance on how to ban AMS from using SSlV3 in with RTMPS clients. I know about that there's a configuration in Adaptor.xml called
  "SSLCipherSuite" which should be able to somehow prevent a specific protocol, but the Adobe documentation recommends contacting with Adobe before changing that configuration.
  So I was wondering if Adobe has any official recommendation to prevent RTMPS client from using SSLV3. Could someone please point me to the right direction?
  Thanks
  -Irtiza

  When will it be released?
  I can not comment on that...
  How will it support older browsers?
  Well most likely it will disable SSLv3 support from within the application. So you will not need to change anything in AMS ocnfiguration.
  All browsers which work on TLS 1.0 and higher will continue to work as they were working till now.
  Note that even in current release, if your browsers support TLS then TLS would be preferred mode of connection  and you will not be exposed to SSLv3 attack.
  Even today, POODLE vulnerability exists only if you are working on those browsers which do not support TLS.
  That said, you must upgrade your openssl to 1.0.1j, because prior to that a hacker could exploit a hack in openssl so that even if your endpoints supports TLS, it can hack and make the connection protocol get downgraded to SSLv3...openssl to 1.0.1j fixes this downgrade protocol attack..
  The steps to compile openssl for AMS are available in public domain..please google and compile openssl for yourself and drop that openssl in your AMS installation.
  Openssl consists of two files libeay32.dll and ssleay32.dll on windows  AND libssl.so.1.0.0 and libcrypto.so.1.0.0 on Linux...

• Disable SSLv3 on Exchange 2010 server (Poodle Vulnerability)

  Following the recommendation to mitigate the Poodle vulnerability, we tried disabling SSLv3 and making sure that users had TLS 1.1 and 1.2 enabled on their browsers.
  We used IIScrypt to turn off SSLv3 (v2 was already disabled from before).
  Now, OWA works fine, and users are able to connect via the Web.
  Internally, users are also able to connect with Outlook 2010/2013.
  however, users are not able to connect via Outlook from outside (Outlook anywhere)
  In the event viewer you get an error:
  A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 70. The Windows SChannel error state is 105.
  I opened a ticket with Microsoft but the lady working on the case wanted us to re-enable SSLv2 which is out of the question.
  Anybody has seen this issue as well?

  Hi Max
  could you provide the steps to turn off SSLv3 . Is it from the registry
  http://support.microsoft.com/kb/187498 ?
  Mat A
  Yes. Copy and paste this into a text file and save as a .reg file, then double click on the file to add to the registry of the server
  Windows Registry Editor Version 5.00
  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0]
  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]
  "DisabledByDefault"=dword:00000001
  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
  "Enabled"=dword:00000000
  Twitter!: Please Note: My Posts are provided “AS IS” without warranty of any kind, either expressed or implied.

• POODLE vulnerability - ASA 5520

  Hi
  I would like to know if my firewalls ASA 5520 (Cisco Adaptive Security Appliance Version 8.4(6), 8.2(1)) are vulnerables to the Poodle vulnerability.
  Which workaround should i do??? it would have any impact in my VPN or servers DMZ????
  Thanks...

  Hi ,
  Both these  ASA versions are vulnerable 
  Conditions:
  The default configuration of SSL on all versions of the ASA enables SSLv3.
  Due to CSCug51375, the ASA is unable to disable SSLv3 on ASA v9.0.x and v9.1.1.x.
  To see the SSL configuration:
  show run all ssl
  Default configuration of the ASA:
  ssl client-version any
  ssl server-version any
  The following non-default configuration values also enable SSLv3:
  ssl client-version sslv3-only
  ssl client-version salve
  ssl server-version sslv3-only
  ssl server-version sslv3
  The following versions are vulnerable regardless of ssl configuration:
  * 9.0.x
  * 9.1.1.x
  Workaround:
  Disable SSLv3, write the changes to the startup-config.
  This workaround only applies to the following versions:
  * 7.x and later
  * 8.2 and later
  * 8.3 and later
  * 8.4 and later
  * 8.5 and later
  * 8.6 and later
  * 8.7 and later
  * 9.1.2 and later (with CSCug51375 fix)
  * 9.2.1 and later (with CSCug51375 fix)
  * 9.3.1 and later
  Use the following config-mode commands:
  ssl server-version tlsv1
  ssl client-version tlsv1-only
  There is no need to reboot. The configuration must be saved via "write memory".
  Here is the bug details CSCur23709
  Known fixed ASA versions 9.0(4.201) ,9.2(2.103),9.3(1.1)
  Thanks,
  Prashant Joshi

• [CVE-2014-3566] SSL Padding Oracle On Downgraded Legacy Encryption (POODLE) Vulnerability

  Cisco is aware of the reported vulnerability and is currently investigating this report.  Cisco is evaluating products to determine their exposure to this vulnerability.
  Cisco has issued an official PSIRT notice for the SSL Padding Oracle On Downgraded Legacy Encryption (POODLE) Vulnerability
  Please refer to the following information, as provided from our Product Security Incident Response Team (PSIRT):
  SSL Padding Oracle On Downgraded Legacy Encryption (POODLE) Vulnerability
  Complete information about reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco is available on Cisco.com at:
  http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html 
  This web page includes instructions for press inquiries regarding Cisco Security Advisories. All Cisco Security Advisories are available at:
  http://www.cisco.com/go/psirt

  Quick-link to the PSIRT verified Email Security (ESA) vulnerability information as well as workaround:-
  https://tools.cisco.com/bugsearch/bug/CSCur27131

• Disabling SSL v3 in OAS10gR1 (9.0.4) to address Poodle vulnerability?

  Has anyone been able to get OAS10gR1 (9.0.4) to recognize a protocol other than SSLv3 – such as TLS? We know that this version of the OAS supports SSLv3 primarily – but we are attempting to address the SSLv3 Poodle Vulnerability. Any advice where this is concerned would be appreciated.

  Hi ,
  The version OAS10gR1(9.0.4) is de-supported since 31st-Dec-2008 and as this relates to security we would require you to upgrade to the latest version which is 11g and the apply the latest CPU patches.
  If the same issue still exists even after upgrade and applying the latest CPU patches request you Open and SR with Support.
  Regards,
  Prakash.

• SSL Padding Oracle On Downgraded Legacy Encryption (POODLE) Vulnerability for Smart Switch SG200-26 26 Port

  Hi,
  I am having a SSL Padding Oracle On Downgraded Legacy Encryption (POODLE) Vulnerability on my Smart Switch SG200-26 26Port. Does anyone know how to solve this vulnerability?

  Quick-link to the PSIRT verified Email Security (ESA) vulnerability information as well as workaround:-
  https://tools.cisco.com/bugsearch/bug/CSCur27131

• SSLv3 Poodle vulnerability

  Does anyone have any more info on the SSLv3 Poodle vulnerability in that are any of the Cisco switches, in particular the ACE load balancer (If they do SSL offloading) vulnerable to this?
  http://www.wired.com/2014/10/poodle-explained/
  If so, if there a way to disable SSLv3?

  To disable SSLv3, do something like this:
  parameter-map type ssl PARAMMAP_SSL
    cipher RSA_WITH_3DES_EDE_CBC_SHA
    cipher RSA_WITH_AES_128_CBC_SHA priority 2
    cipher RSA_WITH_AES_256_CBC_SHA priority 3
    version TLS1
  ssl-proxy service SSL_PSERVICE_SERVER
    ssl advanced-options PARAMMAP_SSL
  (Omitted all the other important, but not to this exact solution, stuff in the ssl-proxy config)

• Sslv3 poodle vulnerability and sharepoint site using https

  Hi
  Is it safe  to run IIS crypto tool and choose
  'FIPS 140-2'  on Sharepoint WFe
  We have one web application accessible to users using HTTPS with a  valid  SSL from CA.

  FIPS 140-2 is not supported by SharePoint and enforcing it will break SharePoint.
  Instead, disable SSLv3 support in IIS.
  https://www.digicert.com/ssl-support/iis-disabling-ssl-v3.htm
  https://support.microsoft.com/kb/187498/
  Trevor Seward
  Follow or contact me at...
  &nbsp&nbsp
  This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

• Mitigting SSL v3 POODLE Vulnerability (CVE-2014-3566)

  Hi all,
  Another day, another vulnerability. Feel like we are swimming against the tide.
  Now, SSL v3 has been shown to be vulnerable (looks like a protocol issue, not an implementation issue, so patches are doubtful) and so I am looking at what we can do to mitigate this. Clients (such as IE, Firefox and Chrome (sort of)) can be set to disable SSL v3, but rolling this out across an Enterprise might not be that easy.
  In IIS (that would be running TMS) you can switch off SSL v3 via a reg edit, but are there any knock on effect? What about the web services built into CODECs, MCUs and other infrastructure devices - can SSL v3 be switched off?
  Look forward to the responses.
  Cheers
  Chris

  Hi All,
  This tidbit is not Cisco orientated per se, but some of you might find it useful (if you haven't found the info yourselves already (it's what I sent around to my team here):
  There are many things you can do to mitigate this vulnerability, as you can also disable SSL3 in various clients (although this might affect communication with legacy systems)
  Firefox – Version 34 (due for release at the end of November) will disable SSL v3 by default, but they have released a plug in that can disable this immediately. See https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/
  IE – You can turn off SSL 3 from the Settings -->Internet Options --> Advanced --> Security, section however, if you find that the options to check SSL/TLS are greyed out (as they are on my machine), this maybe a hang over from previous security software installation.
  However, I will override this using GPO so domain joined PCs will have this setting updated. The GPO applied to the domain is:
  Computer Setting --> Administrative Templates --> Windows Components --> Internet Explorer --> Internet Control Panel --> Advanced Page --> Turn Off Encryption Support = TLS 1.0, TLS 1.1, and TLS 1.2 ONLY
  Chrome – This is a little more difficult. It seem you can only do this at this moment in time by adding a switch to the start-up command (you can modify the shortcut on either Windows or Mac). Check out https://zmap.io/sslv3/browsers.html

• POODLE vulnerability

  Hi,
  I'm getting this threatening message from our admin (see below). I know this is being investigated (http://www.blackberry.com/btsc/KB36397), but they will throw my phone off the network in two days. Are there know workarounds? Why is the port 443 open anyway?
  anze
  System Name/IP : XX
  MAC Address : a4e4b80ef72b
  Owner/Admin : XX
  Last Scanned : 2014-11-04 09:58:07
  You are being contacted because you are listed as the admin/owner
  of the above system.
  ** At least one high or medium risk vulnerability remains on this system,
  and must accounted for before 2014-11-12! **
  Remediation will generally involve a combination of two approaches:
  1) Addressing the problem directly (e.g. apply vendor patches,
  disabling unnecessary services, etc.). Or,
  2) If a vulnerability cannot be remediated for any reason, an
  exception will have to be made. When you mark an exception
  you will have to provide a justification as well as a category
  (false positive, operational need, not correctable, etc.)
  ** Note that all exceptions/justifications will be audited! **
  Note that you will need to re-scan the system after you take any
  of the above remediation actions, to confirm the results.
  If nothing is done, this system will be queued to be blocked at
  9 am on 2014-11-12. Once queued, the only way to release the
  system will be to call the ITD Help Desk at x5522.
  This is the 2nd notice (the original notice was sent on 2014-11-05).
  [1] Service: www (443/tcp), Risk: MEDIUM, ID: 78479
  Synopsis :
  It is possible to obtain sensitive information from the remote host with SSL/TLS-enabled services.
  Description :
  The remote host is affected by a man-in-the-middle (MitM) information disclosure vulnerability known as POODLE. The vulnerability is due to the way SSL 3.0 handles padding bytes when decrypting messages encrypted using block ciphers in cipher block chaining (CBC) mode. A MitM attacker can decrypt a selected byte of a cipher text in as few as 256 tries if they are able to force a victim application to repeatedly send the same data over newly created SSL 3.0 connections.
  As long as a client and service both support SSLv3, a connection can be 'rolled back' to SSLv3, even if TLSv1 or newer is supported by the client and service.
  The TLS Fallback SCSV mechanism prevents 'version rollback' attacks without impacting legacy clients
  however, it can only protect connections when the client and service support the mechanism. Sites that cannot disable SSLv3 immediately should enable this mechanism.
  This is a vulnerability in the SSLv3 specification, not in any particular SSL implementation. Disabling SSLv3 is the only way to completely mitigate the vulnerability.
  See also :
  https://www.imperialviolet.org/2014/10/14/poodle.html
  https://www.openssl.org/~bodo/ssl-poodle.pdf
  https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-00
  Solution :
  Disable SSLv3.
  Services that must support SSLv3 should enable the TLS Fallback SCSV mechanism until SSLv3 can be disabled.
  Risk factor :
  Medium / CVSS Base Score : 4.3
  (CVSS2#AV:N/AC:M/Au:N/C/I:N/A:N)
  Plugin output :
  Nessus determined that the remote server supports SSLv3 with at least one CBC
  cipher suite, indicating that this server is vulnerable.
  It appears that TLSv1 or newer is supported on the server. However, the
  Fallback SCSV mechanism is not supported, allowing connections to be "rolled
  back" to SSLv3.
  CVE : CVE-2014-3566
  BID : 70574
  Other references : OSVDB:113251,CERT:577193,IAVA:2014-A-0166

  Mitigations are existing conditions that a potential attacker would need to overcome to mount a successful attack or that would limit the severity of an attack. Examples of such conditions include default settings, common configurations and general best practices.
  TLS 1.0, TLS 1.1, TLS 1.2, and all cipher suites that do not use CBC mode are not affected. BlackBerry products use TLS 1.0 or better by default when connecting to websites. 
  Each encrypted connection uses a different key and recovering the plain text of one session does not compromise other sessions.
  This issue is mitigated for all customers by the requirement that an attacker would need to force the server and client to downgrade to the legacy SSLv3 protocol. This would require that the attacker successfully simulate a network or request failure. The attacker would also need to force the encrypted data to contain known plain text unless the attacker can reliably guess a part or all of the plain text. Any attempt to guess plain text data would rely on the data being in the exact same position within the network packets each time and in practice it is unlikely that this will be possible.
  This issue is mitigated for BlackBerry smartphone customers by the requirement that an attacker must first gain at least partial control of the network and of the server. The browser would then need to communicate with the attacker-controlled server over an attacker-controlled network on a repeated basis. If the connection is not compromised or the server is not under the control of the attacker, or if the attacker is unable to cause known data to be sent repeatedly between the server and the client, the SSLv3 weakness cannot be used to recover unencrypted data. The attacker has no way of forcing such a connection to occur.
  Click here to Backup the data on your BlackBerry Device! It's important, and FREE!
  Click "Accept as Solution" if your problem is solved. To give thanks, click thumbs up
  Click to search the Knowledge Base at BTSC and click to Read The Fabulous Manuals
  BESAdmin's, please make a signature with your BES environment info.
  SIM Free BlackBerry Unlocking FAQ
  Follow me on Twitter @knottyrope
  Want to thank me? Buy my KnottyRope App here
  BES 12 and BES 5.0.4 with Exchange 2010 and SQL 2012 Hyper V

• Small Business switches and POODLE

  Has Cisco done any research into small business switches being vulnerable to POODLE?  I know they're working hard on the enterprise side, but I'm not finding any information on the small business side.
   

  Hi,
  All Cisco product will be checked and results are posted on the same page as for enterprise:
  http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141015-poodle
  Regards,
  Aleksandra

• Patch for Dreamweaver CS5 or 6 from Poodle Vulnerability

  GoDaddy ran a security patch for Poodle and now Dreamweaver can't connect. FTP over SSL/TLS explicit encryption is used. Is there a patch from Adobe for Dreamweaver?

  The perpetual license of CS6 is essentially Adobe's response to those folks who absolutely refuse to switch to the Creative Cloud Subscription plans. It's actually 3 versions (4 if you count Cloud CS6) removed from "current". Even though it's still available for purchase, it hasn't been receiving any updates and is getting further and further behind DWCC as time goes by.
  Adobe has a phone number, you just need to dig...
  Contact Customer Care
  Click Dreamweaver > How-to's and troubleshooting > Troubleshoot > click the big blue Still Need Help button
  That will give you Chat (if available) Phone (region specific) and Forums links

• How to disable SSL v3 for sun os 5.6 (OAS 4.0.8), I am facing POODLE vulnerability issue?

  my Website is hosted on Sun OS 5.06 (OAS 4.0.8) and using web server : Oracle_Web_Listener/4.0.8. Website is configured to use https for secure pages and it was working fine from last 10 years but suddenly i am getting complaints from my customers that they can not browse site on chrome version 40 and above and firefox 34 and above.
  I searched for this issue and found that there is POODLE attack which may causing this issue. now the only solution i can see is to disable SSL v3 on server.
  Can any help me out with the process or an idea, How to disable SSL V3 on this Olde server? its sun microsystem server.

  Hi Aamir,
     This is old software, been a while since I saw one of these.
      Normally when SSL was setup there were two listeners, one with SSL and one without, in a different port, so you could try to find this second port, which may work without any need to change the configuration.
      Else, try to check on the OAS manager (Usually on port 8888), the HTTP listener -> WWW -> Network, if there is a setup only for the SSL port, you will need to add a new line, with the same configuration, but a different port and the security disabled.
      Also, there may be some setting on the application itself for the url path. If so, when you navigate in the application it will try to redirect you back to the SSL port. In that case you will need to figure out where to change that, which depend on the application itself.
     Found this page on google with the process to setup SSL on OAS 4.0, you need to do the inverse of step 5.
  WoSign Support: SSL Certificates Installation Instruction - Oracle Web Server (OAS 4.0.8)
  Regards,
  Luis

• The Firefox plugin page said I needed to install a new plugin for Shockwave Flash, but after doing the installation I checked back to see if the installation took place and the "action" column still says "update now" and potentially vulnerable."

  After downloading the new version of Shockwave
  flash the message in the box said the download was completed; however, the information on the Firefox plugin page keeps saying "potentially vulnerable" and "update now" as though no download took place. I repeated the download 2 more times and got the same results.

  Your plugins list shows outdated plugin(s) with known security and stability risks.
  # Shockwave Flash 10.0 r32
  # Java Plug-in 1.5.0_06 for Netscape Navigator (DLL Helper)
  Update the [[Java]] and [[Flash]] plugin to the latest version.
  See
  http://java.sun.com/javase/downloads/index.jsp#jdk (you need JRE)
  http://www.adobe.com/software/flash/about/
  Start Firefox in [[Safe Mode]] to check if one of your add-ons is causing your problem (switch to the DEFAULT theme: Tools > Add-ons > Themes).
  See [[Troubleshooting extensions and themes]] and [[Troubleshooting plugins]]