SSLv3 POODLE on v7.1 IPS

Similar Messages

• SSLv3 Poodle vulnerability

  Does anyone have any more info on the SSLv3 Poodle vulnerability in that are any of the Cisco switches, in particular the ACE load balancer (If they do SSL offloading) vulnerable to this?
  http://www.wired.com/2014/10/poodle-explained/
  If so, if there a way to disable SSLv3?

  To disable SSLv3, do something like this:
  parameter-map type ssl PARAMMAP_SSL
    cipher RSA_WITH_3DES_EDE_CBC_SHA
    cipher RSA_WITH_AES_128_CBC_SHA priority 2
    cipher RSA_WITH_AES_256_CBC_SHA priority 3
    version TLS1
  ssl-proxy service SSL_PSERVICE_SERVER
    ssl advanced-options PARAMMAP_SSL
  (Omitted all the other important, but not to this exact solution, stuff in the ssl-proxy config)

• MeetingPlace 7.1 SSLv3/Poodle Vulnerablilty

  Hello, Support Community,
  We have MeetingPlace 7.1 on an MCS server.  The server is running the Cisco IOS Image 2003.1.51 and Service Release 25.  This is our conference server located in our DMZ for outside conferencing. 
  I have read the notice at https://tools.cisco.com/bugsearch/bug/CSCur33354/?referring_site=bugquickviewclick. 
  It appears that upgrading is the best option, however  we are looking for a short term security option if one is available as we are  going to be getting ready to upgrade to WebEx in a few months.
  Is there anything else that can be enabled differently, or disabled to secure the server and still provide service to our clients that are coming in for web conferencing from the outside.
  Many thanks in advance for the help!
  Peggy

  Tried this on one of my 4260's and are most recent vulnerability scan is still picking up the IPS as vulnerable to POODLE.
  Given that the IPS is technically supported until 2018, I'm having a hard time convincing the business that they need to upgrade it just yet.
  Was there anything else you needed to do other than what was documented in the link?

• SSLV3 poodle on WLC 2100

  Hi everyone,
  Seems as per cisco all WLC --5500/2100 etc are effected by sslv3.
  Need to know if there is any config change that can be done without doing version upgrade?
  Regrads
  Mahesh

  If you do not want users to connect to a web page using a browser that is configured with SSLv2 only, you can disable SSLv2 for web authentication by entering the config network secureweb cipher-option sslv2 disable command. If you enter this command, users must use a browser that is configured to use a more secure protocol such as SSLv3 or later releases. The default value is disabled.

• Sslv3 poodle vulnerability and sharepoint site using https

  Hi
  Is it safe  to run IIS crypto tool and choose
  'FIPS 140-2'  on Sharepoint WFe
  We have one web application accessible to users using HTTPS with a  valid  SSL from CA.

  FIPS 140-2 is not supported by SharePoint and enforcing it will break SharePoint.
  Instead, disable SSLv3 support in IIS.
  https://www.digicert.com/ssl-support/iis-disabling-ssl-v3.htm
  https://support.microsoft.com/kb/187498/
  Trevor Seward
  Follow or contact me at...
  &nbsp&nbsp
  This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

• CUCM 8.6(2): evaluation of SSLv3 POODLE vulnerability

  Hi,
  As per the bug toolkit CUCM version 8.6(2) is affected by the following bug CSCur23720.
  I tried to check for a COP file to fix this issue but didn't find.
  Please advise .

  Hi
  I would contact TAC to see if they have something for  you - I don't see a specific COP, and there doesn't seem to be a 'fixed-in' 8.x version referenced in the bug report..
  Aaron

• CSCur27551 - SSLv3 Poodle attack against https in wlc, CVE-2014??-3566 - 1

  Is there  a reason why Cisco doesn't add this code/fix 7.6.130.13 to their main downloads for the 5508 WLC?  I need to get this again and most likely need to resubmit a ticket just to get a link to download.

  Firmware 1.05.36 of MyCloud Mirror fixed that: http://community.wd.com/t5/WD-My-Cloud-Mirror/New-Release-My-Cloud-Mirror-Firmware-Release-1-05-36-7-8-2015/td-p/886778

• How do I disable SSLv3 in Safari (OSX & iOS)

  Hi All,
  So following this morning's Google announcement on the SSLv3 vulnerability, I tried disabling it on the client side on my various systems and browser. On OSX, I managed to do it for Firefox and Chrome but not for Safari. On iOS I didn't manage at all.
  Any clue on how it can be done?
  FWIW:
  - Disabling SSLv3 in Firefox:
    Open about:config, find security.tls.version.min and set the value to 1. Then restart your browser to drop any open SSL connections.
  - Disabling SSLv3 in Chrome:
    Launch Chrome using an AppleScript that contains the following
    do shell script "open -a /Applications/Google\\ Chrome.app --args --ssl-version-min=tls1"
  - Checking client-side vulnerability:
     https://www.poodletest.com/
  - Checking server-side vulnerability:
     http://www.poodlebleed.com
  Cheers,
  Alex

  Apple posted the following updates that include a fix for the SSLv3 "Poodle" issue:
  Yosemite 10.10
  Security Update 2014-005 Mavericks
  Security Update 2014-005 Mountain Lion
  as well as updates for all currently supported Servers (4.0, 3.2.2, 2.2.5)
  All of them contain the following:
  Secure Transport
  Impact:  An attacker may be able to decrypt data protected by SSL
  Description:  There are known attacks on the confidentiality of SSL
  3.0 when a cipher suite uses a block cipher in CBC mode. An attacker
  could force the use of SSL 3.0, even when the server would support a
  better TLS version, by blocking TLS 1.0 and higher connection
  attempts. This issue was addressed by disabling CBC cipher suites
  when TLS connection attempts fail.
  CVE-ID
  CVE-2014-3566 : Bodo Moeller, Thai Duong, and Krzysztof Kotowicz of
  Google Security Team
  It would appear that your browsers will show "maybe vulnerable" on the poodletest site, so my guess is that OS X will prevent all apps from using SSLv3 even if they would otherwise be capable of doing so.  This will protect other apps, such as e-mail clients that are also normally able to use SSLv3.

• Calendarserver only supports SSLv3

  Hello,
  I wonder why my iCal Server only Supports SSLv3. I didn't found any configuration for this. I'd rather like to use TLS1.0 and block any SSLv3.
  (Looked in /Library/Server/Calendar\ and\ Contacts/Config/caldavd-system.plist)
  % nmap --script ssl-enum-ciphers -p 8443 cal.xxx.de
  Starting Nmap 5.51 ( http://nmap.org ) at 2014-10-16 16:28 CEST
  Host is up (0.0011s latency).
  PORT     STATE SERVICE
  8443/tcp open  https-alt
  | ssl-enum-ciphers:
  |   SSLv3
  |     Ciphers (6)
  |       TLS_RSA_WITH_3DES_EDE_CBC_SHA
  |       TLS_RSA_WITH_AES_128_CBC_SHA
  |       TLS_RSA_WITH_AES_256_CBC_SHA
  |       TLS_RSA_WITH_RC4_128_MD5
  |       TLS_RSA_WITH_RC4_128_SHA
  |       TLS_RSA_WITH_SEED_CBC_SHA
  |     Compressors (1)
  |_      uncompressed
  BTW:
  # openssl version
  OpenSSL 0.9.8y 5 Feb 2013
  Shouldn't Apple take any action on this? I feel uncomfortable using OSX Server while not being able to serve something > TLS1.0 without updateing openssl myself.
  Thanks in advance!

  Apple posted the following updates that include a fix for the SSLv3 "Poodle" issue:
  Yosemite 10.10
  Security Update 2014-005 Mavericks
  Security Update 2014-005 Mountain Lion
  as well as updates for all currently supported Servers (4.0, 3.2.2, 2.2.5)
  All of them contain the following:
  Secure Transport
  Impact:  An attacker may be able to decrypt data protected by SSL
  Description:  There are known attacks on the confidentiality of SSL
  3.0 when a cipher suite uses a block cipher in CBC mode. An attacker
  could force the use of SSL 3.0, even when the server would support a
  better TLS version, by blocking TLS 1.0 and higher connection
  attempts. This issue was addressed by disabling CBC cipher suites
  when TLS connection attempts fail.
  CVE-ID
  CVE-2014-3566 : Bodo Moeller, Thai Duong, and Krzysztof Kotowicz of
  Google Security Team
  It would appear that your browsers will show "maybe vulnerable" on the poodletest site, so my guess is that OS X will prevent all apps from using SSLv3 even if they would otherwise be capable of doing so.  This will protect other apps, such as e-mail clients that are also normally able to use SSLv3.

• Disabling SSL v3 in OAS10gR1 (9.0.4) to address Poodle vulnerability?

  Has anyone been able to get OAS10gR1 (9.0.4) to recognize a protocol other than SSLv3 – such as TLS? We know that this version of the OAS supports SSLv3 primarily – but we are attempting to address the SSLv3 Poodle Vulnerability. Any advice where this is concerned would be appreciated.

  Hi ,
  The version OAS10gR1(9.0.4) is de-supported since 31st-Dec-2008 and as this relates to security we would require you to upgrade to the latest version which is 11g and the apply the latest CPU patches.
  If the same issue still exists even after upgrade and applying the latest CPU patches request you Open and SR with Support.
  Regards,
  Prakash.

• ACE TLS1.0 Enforcement Behavior

  ACE 30 module running A4(2.3) code.  I want to turn off SSLv3 support, but seeing some different behavior when doing so.  Perhaps someone can explain the ACE behavior.
  When ACE is set to all versions (SSLv3 and TLS1.0), if a TLS1.2 Client Hello is received, it is accepted and the ACE responds with a Server Hello with Version: TLS1.0 (0x0301) and the communications continues without issue.
  When "version tls1" is configured in the same SSL parameter map, the same TLS1.2 Client Hello is received, but the ACE sends a SSL Fatal Alert packet back to the client due to Protocol Version with Version: SSL 3.0 (0x0300) as the version.  
  I understand that the ACE doesn't support TLS1.1 and 1.2 in this version of code, but why does it accept the TLS1.2 Client Hello when version is all, but rejects it when version is set for tls1?

  Hi Dave,
  The SSLv3 version is not supported anymore by ACE and that was the recommended fix.
  The following resolved caveats apply to software version A5(3.1b):
      CSCur02195—The ACE 4710 and ACE30 include a version of bash that is affected by the vulnerabilities identified by the Common Vulnerability and Exposures (CVE) IDs:
  1. CVE-2014-6271
  2. CVE-2014-6277
  3. CVE-2014-6278
  4. CVE-2014-7169
  5. CVE-2014-7186
  6. CVE-2014-7187
      CSCur23683—ACE30 : evaluation of SSLv3 POODLE vulnerability.
  Note ACE will no longer support SSLv3 version of SSL. ACE will support the following SSL versions TLS1.0, TLS1.1, and TLS1.2. A performance degradation of 9% may be observed while using TLS1.0 compared to SSLv3.
  Regards,
  Kanwal
  Note: Please mark answers if they are helpful.

• Disable SSLv3 on Exchange 2010 server (Poodle Vulnerability)

  Following the recommendation to mitigate the Poodle vulnerability, we tried disabling SSLv3 and making sure that users had TLS 1.1 and 1.2 enabled on their browsers.
  We used IIScrypt to turn off SSLv3 (v2 was already disabled from before).
  Now, OWA works fine, and users are able to connect via the Web.
  Internally, users are also able to connect with Outlook 2010/2013.
  however, users are not able to connect via Outlook from outside (Outlook anywhere)
  In the event viewer you get an error:
  A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 70. The Windows SChannel error state is 105.
  I opened a ticket with Microsoft but the lady working on the case wanted us to re-enable SSLv2 which is out of the question.
  Anybody has seen this issue as well?

  Hi Max
  could you provide the steps to turn off SSLv3 . Is it from the registry
  http://support.microsoft.com/kb/187498 ?
  Mat A
  Yes. Copy and paste this into a text file and save as a .reg file, then double click on the file to add to the registry of the server
  Windows Registry Editor Version 5.00
  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0]
  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]
  "DisabledByDefault"=dword:00000001
  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
  "Enabled"=dword:00000000
  Twitter!: Please Note: My Posts are provided “AS IS” without warranty of any kind, either expressed or implied.

• How do I disable SSLV3 in Oracle HTTP SERVER to prevent POODLE attacks?

  How do I disable SSLV3 in Oracle HTTP SERVER to prevent POODLE attacks?
  I see the line in the ssl.conf file:
  SSLCipherSuite SSL_RSA_WITH_RC4_128_MD5:SSL_RSA_WITH_RC4_128_SHA:SSL_RSA_WITH_3DES_EDE_CBC_SHA:SSL_RSA_WITH_DES_CBC_SHA:SSL_RSA_EXPORT_WITH_RC4_40_MD5:SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
  but I'm not sure which ciphers are SSLV3.
  Thanks,
  Andy

  Hi Andy,
  For this, we highly recommend you to open a SR with Oracle support and Security team would be assisting you on how to get this fixed.
  Thanks,
  Sharmela

• Poodle SSLv3 vulnerability

  OK, I'll be the first to ask.
  I've just checked our mobility server using the following command:
  openssl s_client -connect fqdn:443 -ssl3
  and the latest released mobility IS accepting SSLv3 requests
  How do you turn it off? I can do it in apache httpd, but mobility doesn't run via apache
  TIA,
  Mark.

  On 15/10/2014 17:06, MarkDissington wrote:
  > The steps (on a fully patched SLES11SP3 server):
  >
  > 1. Backup
  > /etc/datasync/configengine/engines/default/pipelines/pipeline1/connectors/mobility/connector.xml
  > 2. Verify cipher suites available - -openssl ciphers -tls1-
  > 3. cd
  > /etc/datasync/configengine/engines/default/pipelines/pipeline1/connectors/mobility
  > 4. vi connector.xml
  > 5. Add the following where you modify your cipher suite to match the
  > response in step 2, I inserted these two lines after the *<ssl>1</ssl>*
  > line
  >
  > Code:
  > --------------------
  > <sslMethod>4</sslMethod>
  > <sslCiphers>DHE-RSA-AES256-SHAHE-DSS-AES256-SHA:AES256-SHA:ECDHE-RSA-AES256-SHA:ECDH-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:ECDH-ECDSA-AES256-SHAHE-RSA-CAMELLIA256-SHAHE-DSS-CAMELLIA256-SHA:CAMELLIA256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHAES-CBC3-SHAHE-RSA-AES128-SHAHE-DSS-AES128-SHA:AES128-SHA:ECDHE-RSA-AES128-SHA:ECDH-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDH-ECDSA-AES128-SHAHE-RSA-CAMELLIA128-SHAHE-DSS-CAMELLIA128-SHA:CAMELLIA128-SHA:ECDHE-RSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHAES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5</sslCiphers>
  > --------------------
  >
  > 6. Save and exit vi ([Esc]:wq[Enter])
  > 7. -rcgms restart-
  > 8. Test using -openssl s_client -connect *gms_fqdn*:443 -ssl3- from
  > another server to be sure - you should get an ssl handshake failure
  > similar to below
  > CONNECTED(00000003)
  > 28790:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake
  > failure:s3_pkt.c:1092:SSL alert number 40
  > 28790:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake
  > failure:s3_pkt.c:536:
  For those following the above via NNTP remove the hyphens from the
  beginning and end of each command (though not those before openssl
  parameters).
  Another useful test is "echo Q | openssl s_client -connect
  $(hostname):443 2>&1 | grep Protocol" (from the GMS host itself - if not
  replace "$(hostname)" with the gms_fqdn as per your step 8) but without
  the -ssl parameter. This will tell you what the default protocol being
  used is ... and should hopefully report TLSv[something].
  > Thanks again guys, would be a good to get a TID on this ;-)
  They're coming though you'll appreciate there are a few to write to
  cover all (affected) products across all the Business Units.
  HTH.
  Simon
  Novell Knowledge Partner
  If you find this post helpful and are logged into the web interface,
  please show your appreciation and click on the star below. Thanks.

• Any hints on suspending SSLv3 for KSSL?

  We have a T2000 server where performance is severely inadequate if using software SSL.
  This began when 2048 bit keys were required in recent years.  We implemented KSSL
  and it has worked great in production for about one year.
  Now poodle CVE-2014-3566 has come up and we'd like to disable SSLv3.
  I don't see how that can be done via ksslcfg

  You appear to be asking a software question in a HARDWARE forum space.
  Does this issue of yours have any relevance to that specific T2000 you mentioned, of is it something applicable to the OS you are using on it?
  If it applies to the OS, then what are you using?
  I'll try to arrange to have your post relocated to an OS-specific discussion space.