Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2015.1846 OpenSSL Alternative Chains Certificate Forgery Vulnerability (July 2015) Affecting Cisco Products 13 July 2015 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Cisco products Publisher: Cisco Systems Operating System: Cisco Impact/Access: Provide Misleading Information -- Remote/Unauthenticated Access Privileged Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2015-1793 Reference: ESB-2015.1831 ESB-2015.1817 Original Bulletin: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150710-openssl - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cisco Security Advisory: OpenSSL Alternative Chains Certificate Forgery Vulnerability (July 2015) Affecting Cisco Products Advisory ID: cisco-sa-20150710-openssl Revision 1.0 For Public Release 2015 July 10 16:00 UTC (GMT) +----------------------------------------------------------------------- Summary ======= On July 9, 2015, the OpenSSL Project released a security advisory detailing a vulnerability affecting applications that verify certificates, including SSL/Transport Layer Security (TLS)/Datagram Transport Layer Security (DTLS) clients and SSL/TLS/DTLS servers using client authentication. Multiple Cisco products incorporate a version of the OpenSSL package affected by this vulnerability that could allow an unauthenticated, remote attacker to cause certain checks on untrusted certificates to be bypassed, enabling the attacker to forge "trusted" certificates that could be used to conduct man-in-the-middle attacks. This advisory will be updated as additional information becomes available. Cisco will release free software updates that address this vulnerability. Workarounds that mitigate this vulnerability may be available. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150710-openssl - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (SunOS) iQIVAwUBVZ/llopI1I6i1Mx3AQIjRg//cvAk2pCkYKp0Y7FxagB/w5e8bgUkkWj1 K0m08whJcJE1Q2ovEzzfzi4I2gU1UxyxMAvSmC4LCCxdlf2lP63nbiPPACcPMxx3 lPSgIbyPO/HHuOT9g7TwJkJV3tXhqMOQqP3AGvlhxZA7XnxBWWwG5VZHbxki71U3 hJjbwC5saREV+nqCBUCHCffJKyfn0jTBEP8k0odkbUPwZkUrJMOqMJgcxuRl0luh 7aqsKdtiA/nsT8VXqKQz68huaC/6+LdrJS/O7qbQjCxnB6UqPUR7q1sB3+S6P1W8 SQ2MiR3ZCOyeGpRt3M5HiHPxTZQTlqexxcNumRw/n4LpXVRvChEWc3+oP0zU6ktK KnhgbVPYVA66MATryoI+iY8kiqNg06ziL49tYv3s3zfyby8QRQkQm2/K2pXLu77x 0xjMPUJ9TJNW7CYUmocJgGMQwUQIix/aTz+XKEKVbBGlQv0MMSuFS55P8nxNjY+F mORLgsOmhHN8XAu1dmftR0spNbWk8X5y2bZ4IKwM1uaaQ5UwU42Y3429LyM8E0EW A4cdKRWWOgjLcrCHNH1vEp2VtakqJBYyJhA2aVCJ9tLAsP7w8/nEocn2q1DlmWT2 dEhbm5OOZxaE8j1PlJd/MRS1fs7N04IsBI6LXFxeYVyS5FPgwjfqarFY8P4EWFGC jFNFYlGfjes= =WKtv - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVaNHgn6ZAP0PgtI9AQIh0w//RkEWfWRNsSoa3kIMemgA61LUQ4pElhSt Xn/ezmpuP5IUyJVg+/SeNsTi/KvgDWJ3kQ/qIZ3220txVrlcv8/V80lln7GArvRO 0+SRjFoi4toUyczVFLsTIAHyStQPSbUlZO/6a62dC1SlLsGRUjZY3y6v0AxYVtq2 7t2uRk1+Y/j/yz3rne3ZYfl4WJxhsCgA/RRhLm6i7CJzZGwmTNB0HQ+8iWZQq5kD /RwKZG9wWSb1JkfkNN6LNlrWg7zrJu/rb1bmBaCp8rbyqBeCbVgn5Ct83zLAZy4E vzDiA+VvJYjyO1L80I+BnBA2Pc+5yTvY5bb1lZGoNbZhtXyqZ2xPCxxbM9kVpx3E wDcKIKe5HLuhqsNTlSwbBUiSB910vXg+n4lMhhpKqiQLERd0KAXHHP1tcILLc6cj IBwwjqsw9BXtUy/bAWzAIcS2OLugRyEcPZ7Y6Tm5+Co36zu9wKmlKsQwEUv9+Uxt 6Irlr224A5g9SLv3D+UKLMAnmT3lmYPEuWtqJ53yCNIQqigEnB9b9a+8spEH8pk/ CvKG233r1wTMC9gsmdcy1DWJussqJ8pYGNvkdJv/6awOsf6IT5n/m3DzFEK5XldH yQH47lImcOCaSQHHy4L46jGxMSUfaNTViy5fAe3NzXfmfxfJdNSxNWTb/unLUu2J SyL/5DeJgnY= =hF1N -----END PGP SIGNATURE-----