Multiple Cisco products incorporate a version of the OpenSSL package affected by one or more vulnerabilities that could allow an unauthenticated, remote attacker to cause a denial of service condition or perform a man-in-the-middle attack. On January 8, 2015, the OpenSSL Project released a security advisory detailing eight distinct vulnerabilities. The vulnerabilities are referenced in this document as follows:

CVE-2014-3571: OpenSSL DTLS Message Processing Denial of Service Vulnerability
CVE-2015-0206: OpenSSL dtls1_buffer_record Function DTLS Message Processing Denial of Service Vulnerability
CVE-2014-3569: OpenSSL no-ssl3 Option NULL Pointer Dereference Vulnerability
CVE-2014-3572: OpenSSL Elliptic Curve Cryptographic Downgrade Vulnerability
CVE-2015-0204: OpenSSL RSA Temporary Key Cryptographic Downgrade Vulnerability
CVE-2015-0205: OpenSSL Diffie-Hellman Certificate Validation Authentication Bypass Vulnerability
CVE-2014-8275: OpenSSL Certificate Fingerprint Validation Vulnerability
CVE-2014-3570: OpenSSL BN_sql Function Incorrect Mathematical Results Issue

Cisco will release software updates that address these vulnerabilities.

Workarounds that mitigate these vulnerabilities may be available.

This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150310-ssl

Leave a Reply