copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

ESB-2014.0898.2 - UPDATE [Cisco] Cisco Products: Multiple vulnerabilities

Date: 29 January 2015
References: ESB-2014.0574  ESB-2014.0580  ESB-2014.0590  ESB-2014.0624.2  ESB-2014.0715  ESB-2014.0750  ESB-2014.0751  ESB-2014.0755  ESB-2014.0886  ESB-2014.0887  
ESB-2014.0888  ESB-2014.0889  ESB-2014.0890  ESB-2014.0891  ESB-2014.0892  ESB-2014.0894.2  ESB-2014.0897  ESB-2014.0902  ESB-2014.0905  ESB-2014.0908  ESB-2014.0932  


Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2014.0898.2
       Multiple Vulnerabilities in OpenSSL Affecting Cisco Products
                              29 January 2015

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Cisco Products
Publisher:         Cisco Systems
Operating System:  Cisco
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Access Privileged Data          -- Remote/Unauthenticated
                   Denial of Service               -- Remote/Unauthenticated
                   Provide Misleading Information  -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2014-3470 CVE-2014-0224 CVE-2014-0221
                   CVE-2014-0198 CVE-2014-0195 CVE-2014-0076
                   CVE-2010-5298  

Reference:         ESB-2014.0897
                   ESB-2014.0894
                   ESB-2014.0892
                   ESB-2014.0891
                   ESB-2014.0890
                   ESB-2014.0889
                   ESB-2014.0888
                   ESB-2014.0887
                   ESB-2014.0886
                   ESB-2014.0755
                   ESB-2014.0751
                   ESB-2014.0750
                   ESB-2014.0715
                   ESB-2014.0624.2
                   ESB-2014.0590
                   ESB-2014.0580
                   ESB-2014.0574
                   ESB-2014.0572
                   ESB-2014.0571
                   ESB-2014.0568
                   ESB-2014.0565
                   ESB-2014.0564
                   ESB-2014.0543
                   ESB-2014.0535
                   ESB-2014.0534
                   ESB-2014.0532
                   ESB-2014.0530
                   ESB-2014.0529
                   ESB-2014.0511
                   ESB-2014.0505
                   ESB-2014.0492.5

Original Bulletin: 
   http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140605-openssl

Revision History:  January 29 2015: Cisco has updated the list of vulnerable 
                                    products. Please check the original 
                                    bulletin for more information.
                   June     6 2014: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Multiple Vulnerabilities in OpenSSL Affecting Cisco Products

Advisory ID: cisco-sa-20140605-openssl

Revision 1.0

For Public Release 2014 June 5 22:00  UTC (GMT)

Summary
=======

Multiple Cisco products incorporate a version of the OpenSSL package affected by one or more vulnerabilities that could allow an unauthenticated, remote attacker to execute arbitrary code, create a denial of service (DoS) condition, or preform a man-in-the-middle attack. On June 5, 2014 the OpenSSL Project released a security advisory detailing seven distinct vulnerabilities. The vulnerabilities are referenced in this document as follows:

  SSL/TLS Man-in-the-Middle Vulnerability
  DTLS Recursion Flaw Vulnerability
  DTLS Invalid Fragment Vulnerability
  SSL_MODE_RELEASE_BUFFERS NULL Pointer Dereference Vulnerability
  SSL_MODE_RELEASE_BUFFERS Session Injection or Denial of Service Vulnerability
  Anonymous ECDH Denial of Service Vulnerability
  ECDSA NONCE Side-Channel Recovery Attack Vulnerability

Please note that the devices that are affected by this vulnerability are the devices acting as an Secure Socket Layer (SSL) or Datagram Transport Layer Security (DTLS) server terminating SSL or DTLS connections or devices acting as an SSL client initiating an SSL or DTLS connection. Devices that are simply traversed by SSL or DTLS traffic without terminating it are not affected. 

This advisory will be updated as additional information becomes available.
Cisco will release free software updates that address these vulnerabilities. 
Workarounds that mitigate these vulnerabilities may be available. 

This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140605-openssl
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org

iQIcBAEBAgAGBQJTkPEcAAoJEIpI1I6i1Mx3Da0P/18NQm3NYCYi65h6m6Ik3/W8
47Zuz/VuXCJ9fvlboaW04P5P8IyO/Upc4jz6Py5Cmh2eX+BF2/CvlKv2r2lWAucr
Pbeyu8O/TTKGr/OsgdUsy8xT8WS7cxekHdt0yL0fkGzmYaNhfx1oSMB8xbnpCmHk
pGV4gMdYyfJvnU1C913yLUQC7Mq3mqwwQ/rOcJ9Fy5uZJsTrd4dOLPEC6pyJoVfU
2EySkNMTsO4/WXubV6Q1YuOHG0Epw6XA7tP+wPms/lV7URQdbuNECnQNi4VZD/rY
bOIIXTDdhilHMKrQ9kAmj8R70rCjyarmkfymHUldXGPrPo6KNvR3VUAcCHko1JId
GV98OTzYHT2WpizMnTGPgWmiQbkvTWNeG4yFkrQB5wIP+HYm158KOWigbSC8Pwur
/A8GdU59LNp8m7nl217pTiYo9IZrjvytND9FF37kA3FJLxgdrzpDAMFuMANNZgGB
0Gd/hDITH2nDRDgeZkMZG/PIJCKH4R3i+SEM87ab/iF6MUZw1jg28L1LOXt9qHv6
IfWWwjtn8ctUHIltpMPClanhylWb27L9Ga8+8xsi7Ongpn8p3RLeZen9CI+xDTye
R5jSeDpFR5RuEYhHel+iEyDQ8OMGX+/0osMPP9HGS879dHl3PSzkcUHMOSSiN3gO
5Xt+qD9XKxD7u0Wmkk44
=xPVJ
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVMnEdRLndAQH1ShLAQIE8g/9GfzYGCYuqpgxg/4eBdFtKQPEvnz1lnTv
BkBgcDSR4lm30kWchpsJRQXKiJc/OgolQcoSfg607EJF14DayRdZiVQIZbpoY3n9
oDhCSgXD57rVsjW+TIU3CnUegR63VCq8t4ymRP9vFEfJ921+Zm2EOEL/qtnbaBkX
NxwBxlQ709dWDJSDzR3HDYwTFp07fM+FBfNoT7siOJUYSl6xFVqXGFA/HywQfFZj
1nGyQET8AYESiMC0bbNJg3q6MqM7dmWuJfFdnl/0xXTH5AL/SUNIdrzvp5TQUNK5
SFbvjqcB5CPlX5BcqWeX6Y2Ps3e+dEpAwJInEZiPTimXkdKsi3NwZbBrGBqU6z6w
0vNzKDhCxyo9XhOChCtA67h4JaxZKiOd1sfdAIX5RJw6EMPYbto5vPgVxlfDF4na
sESuY7ZbRhFamcB7MtBkw/p+kxZfKi9vfyO2QOhYRmn53SSJ++R8s+MyRgaXEuXP
4JjNjnJj4zF0Hhzuc0Gvp7hhfISMnoCvubCahWeySkctRrR076Gu7fd557ST0qe8
OgCo5hjXzIX1o5inW50RZ8PlAXbWiLYCguQSoXrTCH8sLdEmDjAw5ojCOxzZsFfW
r9NnSTfhm/HA+YrAGdzhsiTgj0nKm3DDtCiMY3yp0ygu4+L0EkDbZwmgq2EqvYaU
UGynkjlIOkw=
=jrgo
-----END PGP SIGNATURE-----