-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2015.1846
       OpenSSL Alternative Chains Certificate Forgery Vulnerability
                   (July 2015) Affecting Cisco Products
                               13 July 2015

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Cisco products
Publisher:         Cisco Systems
Operating System:  Cisco
Impact/Access:     Provide Misleading Information -- Remote/Unauthenticated
                   Access Privileged Data         -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2015-1793  

Reference:         ESB-2015.1831
                   ESB-2015.1817

Original Bulletin: 
   http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150710-openssl

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Cisco Security Advisory: OpenSSL Alternative Chains Certificate Forgery Vulnerability (July 2015) Affecting Cisco Products

Advisory ID: cisco-sa-20150710-openssl

Revision 1.0

For Public Release 2015 July 10 16:00  UTC (GMT)

+-----------------------------------------------------------------------

Summary
=======

On July 9, 2015, the OpenSSL Project released a security advisory detailing a vulnerability affecting applications that verify certificates, including SSL/Transport Layer Security (TLS)/Datagram Transport Layer Security (DTLS) clients and SSL/TLS/DTLS servers using client authentication.

Multiple Cisco products incorporate a version of the OpenSSL package affected by this vulnerability that could allow an unauthenticated, remote attacker to cause certain checks on untrusted certificates to be bypassed, enabling the attacker to forge "trusted" certificates that could be used to conduct man-in-the-middle attacks.

This advisory will be updated as additional information becomes available.

Cisco will release free software updates that address this vulnerability.

Workarounds that mitigate this vulnerability may be available.

This advisory is available at the following link:

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150710-openssl

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (SunOS)

iQIVAwUBVZ/llopI1I6i1Mx3AQIjRg//cvAk2pCkYKp0Y7FxagB/w5e8bgUkkWj1
K0m08whJcJE1Q2ovEzzfzi4I2gU1UxyxMAvSmC4LCCxdlf2lP63nbiPPACcPMxx3
lPSgIbyPO/HHuOT9g7TwJkJV3tXhqMOQqP3AGvlhxZA7XnxBWWwG5VZHbxki71U3
hJjbwC5saREV+nqCBUCHCffJKyfn0jTBEP8k0odkbUPwZkUrJMOqMJgcxuRl0luh
7aqsKdtiA/nsT8VXqKQz68huaC/6+LdrJS/O7qbQjCxnB6UqPUR7q1sB3+S6P1W8
SQ2MiR3ZCOyeGpRt3M5HiHPxTZQTlqexxcNumRw/n4LpXVRvChEWc3+oP0zU6ktK
KnhgbVPYVA66MATryoI+iY8kiqNg06ziL49tYv3s3zfyby8QRQkQm2/K2pXLu77x
0xjMPUJ9TJNW7CYUmocJgGMQwUQIix/aTz+XKEKVbBGlQv0MMSuFS55P8nxNjY+F
mORLgsOmhHN8XAu1dmftR0spNbWk8X5y2bZ4IKwM1uaaQ5UwU42Y3429LyM8E0EW
A4cdKRWWOgjLcrCHNH1vEp2VtakqJBYyJhA2aVCJ9tLAsP7w8/nEocn2q1DlmWT2
dEhbm5OOZxaE8j1PlJd/MRS1fs7N04IsBI6LXFxeYVyS5FPgwjfqarFY8P4EWFGC
jFNFYlGfjes=
=WKtv
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVaNHgn6ZAP0PgtI9AQIh0w//RkEWfWRNsSoa3kIMemgA61LUQ4pElhSt
Xn/ezmpuP5IUyJVg+/SeNsTi/KvgDWJ3kQ/qIZ3220txVrlcv8/V80lln7GArvRO
0+SRjFoi4toUyczVFLsTIAHyStQPSbUlZO/6a62dC1SlLsGRUjZY3y6v0AxYVtq2
7t2uRk1+Y/j/yz3rne3ZYfl4WJxhsCgA/RRhLm6i7CJzZGwmTNB0HQ+8iWZQq5kD
/RwKZG9wWSb1JkfkNN6LNlrWg7zrJu/rb1bmBaCp8rbyqBeCbVgn5Ct83zLAZy4E
vzDiA+VvJYjyO1L80I+BnBA2Pc+5yTvY5bb1lZGoNbZhtXyqZ2xPCxxbM9kVpx3E
wDcKIKe5HLuhqsNTlSwbBUiSB910vXg+n4lMhhpKqiQLERd0KAXHHP1tcILLc6cj
IBwwjqsw9BXtUy/bAWzAIcS2OLugRyEcPZ7Y6Tm5+Co36zu9wKmlKsQwEUv9+Uxt
6Irlr224A5g9SLv3D+UKLMAnmT3lmYPEuWtqJ53yCNIQqigEnB9b9a+8spEH8pk/
CvKG233r1wTMC9gsmdcy1DWJussqJ8pYGNvkdJv/6awOsf6IT5n/m3DzFEK5XldH
yQH47lImcOCaSQHHy4L46jGxMSUfaNTViy5fAe3NzXfmfxfJdNSxNWTb/unLUu2J
SyL/5DeJgnY=
=hF1N
-----END PGP SIGNATURE-----