Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2014.0898.2 Multiple Vulnerabilities in OpenSSL Affecting Cisco Products 29 January 2015 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Cisco Products Publisher: Cisco Systems Operating System: Cisco Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Access Privileged Data -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Provide Misleading Information -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2014-3470 CVE-2014-0224 CVE-2014-0221 CVE-2014-0198 CVE-2014-0195 CVE-2014-0076 CVE-2010-5298 Reference: ESB-2014.0897 ESB-2014.0894 ESB-2014.0892 ESB-2014.0891 ESB-2014.0890 ESB-2014.0889 ESB-2014.0888 ESB-2014.0887 ESB-2014.0886 ESB-2014.0755 ESB-2014.0751 ESB-2014.0750 ESB-2014.0715 ESB-2014.0624.2 ESB-2014.0590 ESB-2014.0580 ESB-2014.0574 ESB-2014.0572 ESB-2014.0571 ESB-2014.0568 ESB-2014.0565 ESB-2014.0564 ESB-2014.0543 ESB-2014.0535 ESB-2014.0534 ESB-2014.0532 ESB-2014.0530 ESB-2014.0529 ESB-2014.0511 ESB-2014.0505 ESB-2014.0492.5 Original Bulletin: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140605-openssl Revision History: January 29 2015: Cisco has updated the list of vulnerable products. Please check the original bulletin for more information. June 6 2014: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Multiple Vulnerabilities in OpenSSL Affecting Cisco Products Advisory ID: cisco-sa-20140605-openssl Revision 1.0 For Public Release 2014 June 5 22:00 UTC (GMT) Summary ======= Multiple Cisco products incorporate a version of the OpenSSL package affected by one or more vulnerabilities that could allow an unauthenticated, remote attacker to execute arbitrary code, create a denial of service (DoS) condition, or preform a man-in-the-middle attack. On June 5, 2014 the OpenSSL Project released a security advisory detailing seven distinct vulnerabilities. The vulnerabilities are referenced in this document as follows: SSL/TLS Man-in-the-Middle Vulnerability DTLS Recursion Flaw Vulnerability DTLS Invalid Fragment Vulnerability SSL_MODE_RELEASE_BUFFERS NULL Pointer Dereference Vulnerability SSL_MODE_RELEASE_BUFFERS Session Injection or Denial of Service Vulnerability Anonymous ECDH Denial of Service Vulnerability ECDSA NONCE Side-Channel Recovery Attack Vulnerability Please note that the devices that are affected by this vulnerability are the devices acting as an Secure Socket Layer (SSL) or Datagram Transport Layer Security (DTLS) server terminating SSL or DTLS connections or devices acting as an SSL client initiating an SSL or DTLS connection. Devices that are simply traversed by SSL or DTLS traffic without terminating it are not affected. This advisory will be updated as additional information becomes available. Cisco will release free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities may be available. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140605-openssl - -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJTkPEcAAoJEIpI1I6i1Mx3Da0P/18NQm3NYCYi65h6m6Ik3/W8 47Zuz/VuXCJ9fvlboaW04P5P8IyO/Upc4jz6Py5Cmh2eX+BF2/CvlKv2r2lWAucr Pbeyu8O/TTKGr/OsgdUsy8xT8WS7cxekHdt0yL0fkGzmYaNhfx1oSMB8xbnpCmHk pGV4gMdYyfJvnU1C913yLUQC7Mq3mqwwQ/rOcJ9Fy5uZJsTrd4dOLPEC6pyJoVfU 2EySkNMTsO4/WXubV6Q1YuOHG0Epw6XA7tP+wPms/lV7URQdbuNECnQNi4VZD/rY bOIIXTDdhilHMKrQ9kAmj8R70rCjyarmkfymHUldXGPrPo6KNvR3VUAcCHko1JId GV98OTzYHT2WpizMnTGPgWmiQbkvTWNeG4yFkrQB5wIP+HYm158KOWigbSC8Pwur /A8GdU59LNp8m7nl217pTiYo9IZrjvytND9FF37kA3FJLxgdrzpDAMFuMANNZgGB 0Gd/hDITH2nDRDgeZkMZG/PIJCKH4R3i+SEM87ab/iF6MUZw1jg28L1LOXt9qHv6 IfWWwjtn8ctUHIltpMPClanhylWb27L9Ga8+8xsi7Ongpn8p3RLeZen9CI+xDTye R5jSeDpFR5RuEYhHel+iEyDQ8OMGX+/0osMPP9HGS879dHl3PSzkcUHMOSSiN3gO 5Xt+qD9XKxD7u0Wmkk44 =xPVJ - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVMnEdRLndAQH1ShLAQIE8g/9GfzYGCYuqpgxg/4eBdFtKQPEvnz1lnTv BkBgcDSR4lm30kWchpsJRQXKiJc/OgolQcoSfg607EJF14DayRdZiVQIZbpoY3n9 oDhCSgXD57rVsjW+TIU3CnUegR63VCq8t4ymRP9vFEfJ921+Zm2EOEL/qtnbaBkX NxwBxlQ709dWDJSDzR3HDYwTFp07fM+FBfNoT7siOJUYSl6xFVqXGFA/HywQfFZj 1nGyQET8AYESiMC0bbNJg3q6MqM7dmWuJfFdnl/0xXTH5AL/SUNIdrzvp5TQUNK5 SFbvjqcB5CPlX5BcqWeX6Y2Ps3e+dEpAwJInEZiPTimXkdKsi3NwZbBrGBqU6z6w 0vNzKDhCxyo9XhOChCtA67h4JaxZKiOd1sfdAIX5RJw6EMPYbto5vPgVxlfDF4na sESuY7ZbRhFamcB7MtBkw/p+kxZfKi9vfyO2QOhYRmn53SSJ++R8s+MyRgaXEuXP 4JjNjnJj4zF0Hhzuc0Gvp7hhfISMnoCvubCahWeySkctRrR076Gu7fd557ST0qe8 OgCo5hjXzIX1o5inW50RZ8PlAXbWiLYCguQSoXrTCH8sLdEmDjAw5ojCOxzZsFfW r9NnSTfhm/HA+YrAGdzhsiTgj0nKm3DDtCiMY3yp0ygu4+L0EkDbZwmgq2EqvYaU UGynkjlIOkw= =jrgo -----END PGP SIGNATURE-----