Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2015.0081
Security Bulletin: Vulnerabilities in OpenSSL affect IBM Security Network
Controller (CVE-2014-3513, CVE-2014-3567, CVE-2014-3568)
13 January 2015
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM Security Network Controller
Publisher: IBM
Operating System: Network Appliance
Impact/Access: Denial of Service -- Remote/Unauthenticated
Reduced Security -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2014-3568 CVE-2014-3567 CVE-2014-3513
Reference: ASB-2014.0134
ASB-2014.0127
ESB-2015.0068
ESB-2015.0057
ESB-2014.1910
ESB-2014.1872
ESB-2014.1871
ESB-2014.1858
Original Bulletin:
http://www-01.ibm.com/support/docview.wss?uid=swg21694416
- --------------------------BEGIN INCLUDED TEXT--------------------
Security Bulletin: Vulnerabilities in OpenSSL affect IBM Security Network
Controller (CVE-2014-3513, CVE-2014-3567, CVE-2014-3568)
Document information
More support for:
IBM Security Network Controller
Software version:
1.0
Operating system(s):
Firmware
Reference #:
1694416
Modified date:
2015-01-12
Security Bulletin
Summary
OpenSSL vulnerabilities along with SSL 3 Fallback protection
(TLS_FALLBACK_SCSV) were disclosed on October 15, 2014 by the OpenSSL
Project. OpenSSL is used by IBM Security Network Controller.
Vulnerability Details
CVE-ID: CVE-2014-3513
DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by
a memory leak in the DTLS Secure Real-time Transport Protocol (SRTP)
extension parsing code. By sending multiple specially-crafted handshake
messages, an attacker could exploit this vulnerability to exhaust all
available memory of an SSL/TLS or DTLS server.
CVSS Base Score: 5.0
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/97035 for
more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVE-ID: CVE-2014-3567
DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by
a memory leak when handling failed session ticket integrity checks. By
sending an overly large number of invalid session tickets, an attacker
could exploit this vulnerability to exhaust all available memory of an
SSL/TLS or DTLS server.
CVSS Base Score: 5.0
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/97036 for
more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVE-ID: CVE-2014-3568
DESCRIPTION: OpenSSL could allow a remote attacker bypass security
restrictions. When configured with "no-ssl3" as a build option, servers
could accept and complete a SSL 3.0 handshake. An attacker could exploit
this vulnerability to perform unauthorized actions.
CVSS Base Score: 2.6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/97037 for
more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:N/I:P/A:N)
Affected Products and Versions
Products:
IBM Security Network Controller
Firmware versions:
1.0.913, 1.0.1209, 1.0.1768, 1.0.3350M, 1.0.3352M, 1.0.3361, 1.0.3361M
Remediation/Fixes
The following IBM Threat Updates have the fixes for these vulnerabilities:
Proventia NSC Update 7 (fw 1.0.3376 and fw 1.0.3376M)
for all IBM Security Network Controller (NSC) products at Firmware versions
NSC - 1.0.913, 1.0.1209, 1.0.1768, 1.0.3350M, 1.0.3352M, 1.0.3361, 1.0.3361M
Workarounds and Mitigations
None
Get Notified about Future Security Bulletins
Subscribe to My Notifications to be notified of important product support
alerts like this.
References
Complete CVSS Guide
On-line Calculator V2
Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency
and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT
WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING
THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBVLRn4RLndAQH1ShLAQI5IBAAlOCfF5mLWm35eVAc6snfTShrDk4ST8/2
mrV7yICeM1gbsDfT9LR7BnUeo5e7NXwVTdkBKgJhc9iWyVi39CXYSaWo/Q1MavRi
CgCQeeuwv7W6Pj7tvjLBEYCBzbQiNjT6k8z4U0IfsR9bZtJadCJ+hgcO+YWOueJB
wV55Q3G3YqabDG07vqTiXYn0exK9VEllBYeezJRMlLF/ayrygB9bdsr4DgLBCYy4
HR7KFRAv3qE7o7yVVN9inUTI6ujbfGy+Cx348bRsZ0BNfWwrcWm8sV+RIWTmWcHv
mV17nspq3gkdowDeGmGXox37KirqSyXjtkm4EhyIDfUYDwOU3wXVbZnimBCbjkof
zHWwuwjWGxrIRzqmFomCVu/4AU4AgCj+7XkybEI/lY/e9qr/Jac/KDpjMDeTkOOp
YX0XV54y+pMWG+pHv47sEgmnSV3eWSlQ4RN2zT4cAU6V9+PS3fHISh9YVapEFIZz
Hnxfh85/u3Y7hkcMvMzHe3HyDxPbhos+FZNmRkDMlnnFA2/ZRGqNQZ2AI+S37SBk
hcHl5XWDy92SWznJFo/xqs94+A9XsTZmqshWUXXKtFllRGcQrHjO706EjzV3LvIm
JLdMgUa5X7qDLAQsXxAuUldZGbquJYh7k8SEe3uelJCQI+J5L3FP/TjuIuBFJf9c
nnP/AdTl/ss=
=TBCv
-----END PGP SIGNATURE-----