Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2015.0575
Multiple Vulnerabilities in OpenSSL (January 2015) Affecting Cisco Product
11 March 2015
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Cisco Products
Publisher: Cisco Systems
Operating System: Cisco
Impact/Access: Access Privileged Data -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Provide Misleading Information -- Remote/Unauthenticated
Unauthorised Access -- Remote/Unauthenticated
Reduced Security -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2015-0206 CVE-2015-0205 CVE-2015-0204
CVE-2014-8275 CVE-2014-3572 CVE-2014-3571
CVE-2014-3570 CVE-2014-3569
Reference: ASB-2015.0015
ESB-2015.0543
ESB-2015.0491
ESB-2015.0448
ESB-2015.0442
ESB-2015.0437
ESB-2015.0436
ESB-2015.0401
ESB-2015.0318
Original Bulletin:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150310-ssl
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Multiple Vulnerabilities in OpenSSL (January 2015) Affecting Cisco Product
Advisory ID: cisco-sa-20150310-ssl
Revision: 1.0
For Public Release 2015 March 10 16:00 UTC (GMT)
+--------------------------------------------------------------------
Summary
=======
Multiple Cisco products incorporate a version of the OpenSSL package
affected by one or more vulnerabilities that could allow an
unauthenticated, remote attacker to create a denial of service (DoS)
condition, or perform a man-in-the-middle attack.
On January 8, 2015, the OpenSSL Project released a security advisory
detailing eight distinct vulnerabilities. The vulnerabilities are
referenced in this document as follows:
CVE-2014-3571: OpenSSL DTLS Message Processing Denial of Service
Vulnerability
CVE-2015-0206: OpenSSL dtls1_buffer_record Function DTLS Message
Processing Denial of Service Vulnerability
CVE-2014-3569: OpenSSL no-ssl3 Option NULL Pointer Dereference
Vulnerability
CVE-2014-3572: OpenSSL Elliptic Curve Cryptographic Downgrade
Vulnerability
CVE-2015-0204: OpenSSL RSA Temporary Key Cryptographic Downgrade
Vulnerability
CVE-2015-0205: OpenSSL Diffie-Hellman Certificate Validation
Authentication Bypass Vulnerability
CVE-2014-8275: OpenSSL Certificate Fingerprint Validation
Vulnerability
CVE-2014-3570: OpenSSL BN_sql Function Incorrect Mathematical
Results Issue
This advisory will be updated as additional information becomes available.
Cisco will release free software updates that address these vulnerabilities.
Workarounds that mitigate these vulnerabilities may be available.
This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150310-ssl
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (SunOS)
iQIVAwUBVP8MJIpI1I6i1Mx3AQLxhA/8DUVbGTvot9vBiI1FpTIp/ZfvAJYKxwAM
taBIzm8sUUA2EP6gewoWmqqrZnzjR4uxXFL1tEHSX08Grw27Rd+Kq8o1LCdmcrRK
le79SejHXVeHrCplGyy6AlnWMizzmFnhHS4QxRKfsuMftTRVCYpvnOR8qYWBUmP4
HuQfc5vYSEcyOFP9Hp6VNOLQqdjxLmXfKmb5L3PiSoZsIFVsrcIcB4OrxiGxvNw/
YCbyb2ty1IrE4y9nLfWacUFQCjHywrl3bQUoNxGPVL1X+piDUUX0Tylar0gIqRS7
pLU+RFxwUMIxlFv37kmoYYg4wjU4Wpsz5gNRwlx0zaldSoerBkY2nUf7EgsFPive
n6PT/8d/e06GTvuD2JQpNNF0NdpRF4y1DERrIpGZ/RDGJco1xHvL/Kbl2xpux5ZP
leteRH4NZXokbjVg8bf2pmN30w7HpD/Qm0X0uLCVSlvWF29g4UsHrdUSl4tgX/V1
d2fCwxEol78BhiCIteKd6y+7vwxNSE6RdYOECwd9jrZGooj3cTP7+MzhquJwuEIf
eskizp4SUyBibCZ+lvHo42WbFH6DEtWkyx6nGzGFP4iCE5BwOIIHwc2rVcWC3VBx
d00FYN/lZPnpLIaV7mo9dSGfVtK9nZlMcsI44WdeAT5fn3A0yqM8IvqgkYy0Cn1h
VYd/dz2A7Qg=
=k6Eo
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBVP+26hLndAQH1ShLAQKtkA//Zg2s7MCxsjK00Buc+XtuKVQ4TzT90xI3
3JG205V2P4hu9/FPfRrwifmEhgb0MJHTASZM6rk+W4myAWlFA7zTViIgMui2CAH2
w2gnfG9qf0XWjun5rEmC0Vuoe7rklN3xku69n/c868O+/7mQxYhBOjI/Yv+ru+Av
XnIc7ynwv4sOG9khWCohIED98qGNj0m7WjpxeIZAMHNzi/gl/e6Pxaal37FmopUw
MrsXW4eNjzs+FkEkNMVzAu4bSSGF52NozL/E9DodseVfFX7mHOxqg5GCMa7XoU1C
W/uHnVbJ74kCB9KCEmO4bw6HVjSkhNi925/E0vNuGRVU/aTeRaZYxcAnUOrK+SZb
DCObero/2zVpHERNI/oJlw3bw58E2OSz+nbFJ90yXHLymVQMKrAES/+Fu8Tw8Dx+
KBowSNOkvVXfEzxiyU00Fpx9omOT9l3N7xRBqAAVAVk15lNnXoHGO9tNwPWJBaTg
vL6+Y+AfUUQ8doAobzNMmTA9/kWJe500uop8inGtiDp79YiN8saYOa8IxWzr/49b
sjesW2KsoZL+qfb+b74AdSPggkkLfGtCWS9Sf9suPp2hxrr3/zZPbbhduzEF3opd
8ONyaAkfwYpbpTeJTD4/pGe0TZCXfchWW8E410+2cAYxZWIaJccXmVJNga3RSLWY
b4whbGF9HC4=
=lK9W
-----END PGP SIGNATURE-----