-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2016.1284
  Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: May 2016
                                20 May 2016

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Cisco Collaboration and Social Media
                   Cisco Endpoint Clients and Client Software
                   Cisco Network Application, Service, and Acceleration
                   Cisco Network and Content Security Devices
                   Cisco Network Management and Provisioning
                   Cisco Routing and Switching - Enterprise and Service Provider
                   Cisco Unified Computing
                   Cisco Voice and Unified Communications Devices
                   Cisco Video, Streaming, TelePresence, and Transcoding Devices
                   Cisco Wireless
                   Cisco Hosted Services
Publisher:         Cisco Systems
Operating System:  Cisco
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Access Privileged Data          -- Remote/Unauthenticated
                   Denial of Service               -- Remote/Unauthenticated
                   Provide Misleading Information  -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2016-2176 CVE-2016-2109 CVE-2016-2108
                   CVE-2016-2107 CVE-2016-2106 CVE-2016-2105

Reference:         ASB-2016.0057
                   ASB-2016.0054
                   ESB-2016.1283
                   ESB-2016.1280
                   ESB-2016.1154
                   ESB-2016.1119
                   ESB-2016.1094
                   ESB-2016.1077
                   ESB-2016.1076

Original Bulletin: 
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160504-openssl

- --------------------------BEGIN INCLUDED TEXT--------------------

Cisco Security Advisory

Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: May 2016

Medium

Advisory ID: cisco-sa-20160504-openssl

Last Updated: 2016 May 17 16:29 GMT

Published: 2016 May 4 19:30 GMT

Version 1.6: Interim

Workarounds:

No workarounds available

CVE-2016-2105

CVE-2016-2106

CVE-2016-2107

CVE-2016-2108

CVE-2016-2109

CVE-2016-2176

CWE-119

CWE-200

CWE-310

Summary

On May 3, 2016, the OpenSSL Software Foundation released a security advisory 
that included six vulnerabilities. Of the six vulnerabilities disclosed, four
of them may cause memory corruption or excessive memory usage, one could allow
a padding oracle attack to decrypt traffic when the connection uses an AES CBC
cipher and the server supports AES-NI, and, lastly, one is specific to a 
product performing an operation with Extended Binary Coded Decimal Interchange
Code (EBCDIC) encoding.

Multiple Cisco products incorporate a version of the OpenSSL package affected
by one or more vulnerabilities.

This advisory will be updated as additional information becomes available.

This advisory is available at the following link:

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160504-openssl

 Affected Products

Cisco is currently investigating its product line to determine which products
may be affected by these vulnerabilities and the impact on each affected 
product. As the investigation progresses, this document will be updated to 
include Cisco bug IDs for each affected product. The bugs will be accessible 
through the Cisco Bug Search Tool and will contain additional 
platform-specific information, including workarounds (if available) and fixed
software versions.

The following products are under active investigation to determine whether 
they are affected by the vulnerabilities described in this advisory.

  Network Management and Provisioning

   Cisco Prime Home

   Cisco Prime Infrastructure

  Routing and Switching - Enterprise and Service Provider

   Cisco IOS XR

  Routing and Switching - Small Business

   Cisco Sx220 Switches

   Cisco Sx300 Switches

   Cisco Sx500 Switches

  Voice and Unified Communications Devices

   Cisco Agent Desktop

   Cisco Finesse

   Cisco Unified Communications Domain Manager

  Video, Streaming, TelePresence, and Transcoding Devices

   Cisco TelePresence 1310

   Cisco TelePresence System 1000

   Cisco TelePresence System 1100

   Cisco TelePresence System 1300

   Cisco TelePresence System 3000 Series

   Cisco TelePresence System 500-32

   Cisco TelePresence System 500-37

   Cisco TelePresence TX 9000 Series

  Wireless

   Cisco Wireless LAN Controller (WLC)

  Cisco Hosted Services

   Cisco One Portal

   Cisco Services Provisioning Platform (SPP)

 Vulnerable Products

The following table lists Cisco products that are affected by one or more 
vulnerabilities described in this advisory.

More...

Products Confirmed Not Vulnerable

Cisco has confirmed that these vulnerabilities do not affect the following 
Cisco products.

  Network Management and Provisioning

   Cisco Configuration Professional

   Cisco Prime Network Registrar IP Address Manager (IPAM)

  Routing and Switching - Enterprise and Service Provider

   Cisco 910 Industrial Router

   Cisco Broadband Access Center Telco Wireless

  Unified Computing

   Cisco Unified Computing System B-Series (Blade) Servers

  Voice and Unified Communications Devices

   Cisco Packaged Contact Center Enterprise

   Cisco TAPI Service Provider (TSP)

  Video, Streaming, TelePresence, and Transcoding Devices

   Cisco D9859 Advanced Receiver Transcoder

  Cisco Hosted Services

   Cisco Cloud Web Security

   Cisco Universal Small Cell usc-iuh

   Cisco WebEx Meetings (Meeting Center, Training Center, Event Center, Support 
    Center)

   Serial Number Assessment Service (SNAS)

   Small Cell factory recovery root filesystem V2.99.4 or later

 Details

The names and associated Common Vulnerabilities and Exposures (CVE) IDs for

the vulnerabilities that were disclosed on May 3, 2016, in the OpenSSL

Software Foundation security advisory are as follows.

OpenSSL Untrusted ASN.1 Structures Out-of-Bounds Write Vulnerability

A vulnerability in the ASN.1 encoder in OpenSSL could allow an

unauthenticated, remote attacker to execute arbitrary code or cause a denial

of service (DoS) condition.

The vulnerability is due to the way the affected software encodes certain

ASN.1 data structures. An attacker could exploit this vulnerability by sending

a crafted certificate to the targeted system. An exploit could cause the

affected software to crash or allow the attacker to execute arbitrary code 
with the privileges of a targeted user running an application that is using 
the OpenSSL library. If the user has elevated privileges, a successful exploit
could result in a complete system compromise.

This vulnerability has been assigned CVE ID CVE-2016-2108.

OpenSSL AES CBC Cipher Man-in-the-Middle Vulnerability

A vulnerability in OpenSSL could allow an unauthenticated, remote attacker to
decrypt and access sensitive information.

The vulnerability is due to insufficient padding checks by the affected 
software. An attacker could exploit this vulnerability by conducting a padding
oracle attack if the attacker is in a man-in-the-middle position between a 
targeted system and a Transport Layer Security/Secure Sockets Layer (TLS/SSL)
or Datagram Transport Layer Security (DTLS) server supporting Advanced 
Encryption Standards New Instructions (AES-NI) and the connection uses an AES
Cipher Block Chaining (CBC) cipher. A successful exploit could allow the 
attacker to decrypt sensitive information in encrypted packets, which could be
leveraged to conduct further attacks.

This vulnerability has been assigned CVE ID CVE-2016-2107.

OpenSSL EVP_EncryptUpdate Function Overflow Heap Corruption Vulnerability

A vulnerability in OpenSSL could allow an unauthenticated, remote attacker to
execute arbitrary code or cause a denial of service (DoS) condition on a 
targeted system.

The vulnerability is due to improper validation of user-supplied input by the
affected software. An attacker could exploit this vulnerability by submitting
large amounts of specially crafted data to the EVP_EncryptUpdate() function of
the affected software. A successful exploit could allow the attacker to 
execute arbitrary code with the privileges of the user or cause a DoS 
condition on a targeted system.

This vulnerability has been assigned CVE ID CVE-2016-2106.

OpenSSL EVP_EncodeUpdate Function Overflow Vulnerability

A vulnerability in the EVP_EncodeUpdate() function in OpenSSL could allow an 
unauthenticated, remote attacker to execute arbitrary code or cause a denial 
of service (DoS) condition.

The vulnerability is due to insufficient bounds checks by the affected 
software. An attacker could exploit this vulnerability by submitting large 
amounts of data to an application that uses the OpenSSL library on a targeted
system. A successful exploit could trigger an overflow condition that results
in heap corruption. The attacker could use the heap corruption to cause the 
application to crash or to execute arbitrary code in the security context of 
the user who is running the application. If the user is running the 
application with elevated privileges, the attacker could execute arbitrary 
code with those privileges and compromise the system completely.

This vulnerability has been assigned CVE ID CVE-2016-2105.

OpenSSL d2i_CMS_bio Function Denial of Service Vulnerability

A vulnerability in OpenSSL could allow a local attacker to cause a denial of 
service (DoS) condition on a targeted system.

The vulnerability is due to memory exhaustion while processing certain data. 
An attacker could exploit this vulnerability by sending crafted ASN.1 data to
a targeted system. An exploit could cause the consumption of excessive memory
resources, resulting in a DoS condition.

This vulnerability has been assigned CVE ID CVE-2016-2109.

OpenSSL ASN.1 Strings X509_NAME_oneline Function Overread Vulnerability

A vulnerability in OpenSSL could allow an unauthenticated, remote attacker to
gain access to sensitive information on a targeted system.

The vulnerability is due to improper memory processes by the affected 
software. An attacker could exploit this vulnerability by sending a crafted 
ASN.1 string greater than 1004 bytes to the X509_NAME_oneline() function of 
the affected software. A successful exploit could allow an attacker to cause a
memory overread condition and gain access to sensitive information on a 
targeted system.

This vulnerability has been assigned CVE ID CVE-2016-2176.

 Workarounds

Any workarounds, when available, will be documented in the Cisco bugs, which 
are accessible through the Cisco Bug Search Tool.

Fixed Software

Cisco has released free software updates that address the vulnerability 
described in this advisory. Customers may only install and expect support for
software versions and feature sets for which they have purchased a license. By
installing, downloading, accessing, or otherwise using such software upgrades,
customers agree to follow the terms of the Cisco software license:

http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html

Additionally, customers may only download software for which they have a valid
license, procured from Cisco directly, or through a Cisco authorized reseller
or partner. In most cases this will be a maintenance upgrade to software that
was previously purchased. Free security software updates do not entitle 
customers to a new software license, additional software feature sets, or 
major revision upgrades.

When considering software upgrades, customers are advised to consult the Cisco
Security Advisories and Responses archive at http://www.cisco.com/go/psirt and
review subsequent advisories to determine exposure and a complete upgrade 
solution.

In all cases, customers should ensure that the devices to be upgraded contain
sufficient memory and confirm that current hardware and software 
configurations will continue to be supported properly by the new release. If 
the information is not clear, customers are advised to contact the Cisco 
Technical Assistance Center (TAC) or their contracted maintenance providers.

Customers Without Service Contracts

Customers who purchase directly from Cisco but do not hold a Cisco service 
contract and customers who make purchases through third-party vendors but are
unsuccessful in obtaining fixed software through their point of sale should 
obtain upgrades by contacting the Cisco Technical Assistance Center (TAC):

http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html

Customers should have the product serial number available and be prepared to 
provide the URL of this advisory as evidence of entitlement to a free upgrade.

To determine the affected and fixed versions for each vulnerable product, 
refer to the Cisco bug identified for the product in the "Vulnerable Products"
section of this advisory. Cisco bugs are accessible through the Cisco Bug 
Search Tool.

Exploitation and Public Announcements

The Cisco Product Security Incident Response Team (PSIRT) is not aware of any
public announcements or malicious use of the vulnerability that is described 
in this advisory.

Source

These vulnerabilities were publicly disclosed by the OpenSSL Software 
Foundation on May 3, 2016.

URL

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160504-openssl

Revision History

Version Description Section Status Date

1.6 Updated the lists of products under investigation, vulnerable, and not 
vulnerable. Affected Products, Vulnerable Products, Products Confirmed Not 
Vulnerable Interim 2016-May-17

1.5 Updated the lists of products under investigation, vulnerable, and not 
vulnerable. Affected Products, Vulnerable Products, Products Confirmed Not 
Vulnerable Interim 2016-May-13Show Complete History...

Legal Disclaimer

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF 
GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS
FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS
LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO 
CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. CISCO EXPECTS TO UPDATE THIS 
DOCUMENT AS NEW INFORMATION BECOMES AVAILABLE.

A standalone copy or paraphrase of the text of this document that omits the 
distribution URL is an uncontrolled copy and may lack important information or
contain factual errors. The information in this document is intended for end 
users of Cisco products.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVz6lrn6ZAP0PgtI9AQIbdQ/+JBqcQM/kWL/x1h9NKmvozQBo15XLRIhL
ynNwwIyiIc9/4Zaxudyb3auzR2bMfl1DmhbpoaWTw9EszbtkWMae/MQHodEAcke5
Q8PjrZdthE35rmmFSwcnSxgHCCZUS5g7W/G/F+5YYkq+lBsaybaAufhsS4Z+KJPr
SwIjSRNGHmEiRaXTNA0yLUa/07X2NK/FvpsMoxDJievTeWw14/U97JhS5llMxqcp
HJDVtyde3nLAuBFp/1vs8WYS5+UvyEkfZGd3TV28t9jXFZgjyd6RlgahYB/cjIeF
gVy683HIOetxCZ5+XOLuDDzsZWfnuzPAgqr2aQGY8O8nMzvNCA88MomxHDVWjL8P
+ZfBs9A+XpboDjXe04XQXBtf5Jqc5dQ/nFp3fAtUkg+e4H5drafOatmjEtK0Y4/D
SRzSL3JEKhzRRiii3Yx3BW/Bzn3zLH4XGGvtIzlHJIVlwMzOUxuF0zgn/85V1GSr
et8W7likf/9/jTJIo5Ji3ILQUeId9MYHEq4i+UEDnRpmtKRe5IkIkjBCucFM7Y0k
4sHeklddacxF317Ne2MtgsGlShAuyMWZvFZ7hxTGJQJnlY5mJxAyP0KXC8be3Nfg
GVJf4N5wp1J2GXOPS7cGicmans9b3QOxWORIfan48VWk2JGly2IpF6TBkrTdcdm5
+RvnBIK9xcI=
=hW1q
-----END PGP SIGNATURE-----