Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2016.1284 Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: May 2016 20 May 2016 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Cisco Collaboration and Social Media Cisco Endpoint Clients and Client Software Cisco Network Application, Service, and Acceleration Cisco Network and Content Security Devices Cisco Network Management and Provisioning Cisco Routing and Switching - Enterprise and Service Provider Cisco Unified Computing Cisco Voice and Unified Communications Devices Cisco Video, Streaming, TelePresence, and Transcoding Devices Cisco Wireless Cisco Hosted Services Publisher: Cisco Systems Operating System: Cisco Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Access Privileged Data -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Provide Misleading Information -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2016-2176 CVE-2016-2109 CVE-2016-2108 CVE-2016-2107 CVE-2016-2106 CVE-2016-2105 Reference: ASB-2016.0057 ASB-2016.0054 ESB-2016.1283 ESB-2016.1280 ESB-2016.1154 ESB-2016.1119 ESB-2016.1094 ESB-2016.1077 ESB-2016.1076 Original Bulletin: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160504-openssl - --------------------------BEGIN INCLUDED TEXT-------------------- Cisco Security Advisory Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: May 2016 Medium Advisory ID: cisco-sa-20160504-openssl Last Updated: 2016 May 17 16:29 GMT Published: 2016 May 4 19:30 GMT Version 1.6: Interim Workarounds: No workarounds available CVE-2016-2105 CVE-2016-2106 CVE-2016-2107 CVE-2016-2108 CVE-2016-2109 CVE-2016-2176 CWE-119 CWE-200 CWE-310 Summary On May 3, 2016, the OpenSSL Software Foundation released a security advisory that included six vulnerabilities. Of the six vulnerabilities disclosed, four of them may cause memory corruption or excessive memory usage, one could allow a padding oracle attack to decrypt traffic when the connection uses an AES CBC cipher and the server supports AES-NI, and, lastly, one is specific to a product performing an operation with Extended Binary Coded Decimal Interchange Code (EBCDIC) encoding. Multiple Cisco products incorporate a version of the OpenSSL package affected by one or more vulnerabilities. This advisory will be updated as additional information becomes available. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160504-openssl Affected Products Cisco is currently investigating its product line to determine which products may be affected by these vulnerabilities and the impact on each affected product. As the investigation progresses, this document will be updated to include Cisco bug IDs for each affected product. The bugs will be accessible through the Cisco Bug Search Tool and will contain additional platform-specific information, including workarounds (if available) and fixed software versions. The following products are under active investigation to determine whether they are affected by the vulnerabilities described in this advisory. Network Management and Provisioning Cisco Prime Home Cisco Prime Infrastructure Routing and Switching - Enterprise and Service Provider Cisco IOS XR Routing and Switching - Small Business Cisco Sx220 Switches Cisco Sx300 Switches Cisco Sx500 Switches Voice and Unified Communications Devices Cisco Agent Desktop Cisco Finesse Cisco Unified Communications Domain Manager Video, Streaming, TelePresence, and Transcoding Devices Cisco TelePresence 1310 Cisco TelePresence System 1000 Cisco TelePresence System 1100 Cisco TelePresence System 1300 Cisco TelePresence System 3000 Series Cisco TelePresence System 500-32 Cisco TelePresence System 500-37 Cisco TelePresence TX 9000 Series Wireless Cisco Wireless LAN Controller (WLC) Cisco Hosted Services Cisco One Portal Cisco Services Provisioning Platform (SPP) Vulnerable Products The following table lists Cisco products that are affected by one or more vulnerabilities described in this advisory. More... Products Confirmed Not Vulnerable Cisco has confirmed that these vulnerabilities do not affect the following Cisco products. Network Management and Provisioning Cisco Configuration Professional Cisco Prime Network Registrar IP Address Manager (IPAM) Routing and Switching - Enterprise and Service Provider Cisco 910 Industrial Router Cisco Broadband Access Center Telco Wireless Unified Computing Cisco Unified Computing System B-Series (Blade) Servers Voice and Unified Communications Devices Cisco Packaged Contact Center Enterprise Cisco TAPI Service Provider (TSP) Video, Streaming, TelePresence, and Transcoding Devices Cisco D9859 Advanced Receiver Transcoder Cisco Hosted Services Cisco Cloud Web Security Cisco Universal Small Cell usc-iuh Cisco WebEx Meetings (Meeting Center, Training Center, Event Center, Support Center) Serial Number Assessment Service (SNAS) Small Cell factory recovery root filesystem V2.99.4 or later Details The names and associated Common Vulnerabilities and Exposures (CVE) IDs for the vulnerabilities that were disclosed on May 3, 2016, in the OpenSSL Software Foundation security advisory are as follows. OpenSSL Untrusted ASN.1 Structures Out-of-Bounds Write Vulnerability A vulnerability in the ASN.1 encoder in OpenSSL could allow an unauthenticated, remote attacker to execute arbitrary code or cause a denial of service (DoS) condition. The vulnerability is due to the way the affected software encodes certain ASN.1 data structures. An attacker could exploit this vulnerability by sending a crafted certificate to the targeted system. An exploit could cause the affected software to crash or allow the attacker to execute arbitrary code with the privileges of a targeted user running an application that is using the OpenSSL library. If the user has elevated privileges, a successful exploit could result in a complete system compromise. This vulnerability has been assigned CVE ID CVE-2016-2108. OpenSSL AES CBC Cipher Man-in-the-Middle Vulnerability A vulnerability in OpenSSL could allow an unauthenticated, remote attacker to decrypt and access sensitive information. The vulnerability is due to insufficient padding checks by the affected software. An attacker could exploit this vulnerability by conducting a padding oracle attack if the attacker is in a man-in-the-middle position between a targeted system and a Transport Layer Security/Secure Sockets Layer (TLS/SSL) or Datagram Transport Layer Security (DTLS) server supporting Advanced Encryption Standards New Instructions (AES-NI) and the connection uses an AES Cipher Block Chaining (CBC) cipher. A successful exploit could allow the attacker to decrypt sensitive information in encrypted packets, which could be leveraged to conduct further attacks. This vulnerability has been assigned CVE ID CVE-2016-2107. OpenSSL EVP_EncryptUpdate Function Overflow Heap Corruption Vulnerability A vulnerability in OpenSSL could allow an unauthenticated, remote attacker to execute arbitrary code or cause a denial of service (DoS) condition on a targeted system. The vulnerability is due to improper validation of user-supplied input by the affected software. An attacker could exploit this vulnerability by submitting large amounts of specially crafted data to the EVP_EncryptUpdate() function of the affected software. A successful exploit could allow the attacker to execute arbitrary code with the privileges of the user or cause a DoS condition on a targeted system. This vulnerability has been assigned CVE ID CVE-2016-2106. OpenSSL EVP_EncodeUpdate Function Overflow Vulnerability A vulnerability in the EVP_EncodeUpdate() function in OpenSSL could allow an unauthenticated, remote attacker to execute arbitrary code or cause a denial of service (DoS) condition. The vulnerability is due to insufficient bounds checks by the affected software. An attacker could exploit this vulnerability by submitting large amounts of data to an application that uses the OpenSSL library on a targeted system. A successful exploit could trigger an overflow condition that results in heap corruption. The attacker could use the heap corruption to cause the application to crash or to execute arbitrary code in the security context of the user who is running the application. If the user is running the application with elevated privileges, the attacker could execute arbitrary code with those privileges and compromise the system completely. This vulnerability has been assigned CVE ID CVE-2016-2105. OpenSSL d2i_CMS_bio Function Denial of Service Vulnerability A vulnerability in OpenSSL could allow a local attacker to cause a denial of service (DoS) condition on a targeted system. The vulnerability is due to memory exhaustion while processing certain data. An attacker could exploit this vulnerability by sending crafted ASN.1 data to a targeted system. An exploit could cause the consumption of excessive memory resources, resulting in a DoS condition. This vulnerability has been assigned CVE ID CVE-2016-2109. OpenSSL ASN.1 Strings X509_NAME_oneline Function Overread Vulnerability A vulnerability in OpenSSL could allow an unauthenticated, remote attacker to gain access to sensitive information on a targeted system. The vulnerability is due to improper memory processes by the affected software. An attacker could exploit this vulnerability by sending a crafted ASN.1 string greater than 1004 bytes to the X509_NAME_oneline() function of the affected software. A successful exploit could allow an attacker to cause a memory overread condition and gain access to sensitive information on a targeted system. This vulnerability has been assigned CVE ID CVE-2016-2176. Workarounds Any workarounds, when available, will be documented in the Cisco bugs, which are accessible through the Cisco Bug Search Tool. Fixed Software Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. When considering software upgrades, customers are advised to consult the Cisco Security Advisories and Responses archive at http://www.cisco.com/go/psirt and review subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco Technical Assistance Center (TAC): http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. To determine the affected and fixed versions for each vulnerable product, refer to the Cisco bug identified for the product in the "Vulnerable Products" section of this advisory. Cisco bugs are accessible through the Cisco Bug Search Tool. Exploitation and Public Announcements The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source These vulnerabilities were publicly disclosed by the OpenSSL Software Foundation on May 3, 2016. URL http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160504-openssl Revision History Version Description Section Status Date 1.6 Updated the lists of products under investigation, vulnerable, and not vulnerable. Affected Products, Vulnerable Products, Products Confirmed Not Vulnerable Interim 2016-May-17 1.5 Updated the lists of products under investigation, vulnerable, and not vulnerable. Affected Products, Vulnerable Products, Products Confirmed Not Vulnerable Interim 2016-May-13Show Complete History... Legal Disclaimer THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. CISCO EXPECTS TO UPDATE THIS DOCUMENT AS NEW INFORMATION BECOMES AVAILABLE. A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVz6lrn6ZAP0PgtI9AQIbdQ/+JBqcQM/kWL/x1h9NKmvozQBo15XLRIhL ynNwwIyiIc9/4Zaxudyb3auzR2bMfl1DmhbpoaWTw9EszbtkWMae/MQHodEAcke5 Q8PjrZdthE35rmmFSwcnSxgHCCZUS5g7W/G/F+5YYkq+lBsaybaAufhsS4Z+KJPr SwIjSRNGHmEiRaXTNA0yLUa/07X2NK/FvpsMoxDJievTeWw14/U97JhS5llMxqcp HJDVtyde3nLAuBFp/1vs8WYS5+UvyEkfZGd3TV28t9jXFZgjyd6RlgahYB/cjIeF gVy683HIOetxCZ5+XOLuDDzsZWfnuzPAgqr2aQGY8O8nMzvNCA88MomxHDVWjL8P +ZfBs9A+XpboDjXe04XQXBtf5Jqc5dQ/nFp3fAtUkg+e4H5drafOatmjEtK0Y4/D SRzSL3JEKhzRRiii3Yx3BW/Bzn3zLH4XGGvtIzlHJIVlwMzOUxuF0zgn/85V1GSr et8W7likf/9/jTJIo5Ji3ILQUeId9MYHEq4i+UEDnRpmtKRe5IkIkjBCucFM7Y0k 4sHeklddacxF317Ne2MtgsGlShAuyMWZvFZ7hxTGJQJnlY5mJxAyP0KXC8be3Nfg GVJf4N5wp1J2GXOPS7cGicmans9b3QOxWORIfan48VWk2JGly2IpF6TBkrTdcdm5 +RvnBIK9xcI= =hW1q -----END PGP SIGNATURE-----