Multiple Cisco products incorporate a version of the OpenSSL package affected by one or more vulnerabilities that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or corrupt portions of OpenSSL process memory. On March 19, 2015, the OpenSSL Project released a security advisory detailing 13 distinct vulnerabilities. The following seven are actively under investigation and the vulnerabilities are referenced in this document as follows:

CVE-2015-0286: OpenSSL ASN1_TYPE_cmp Denial of Service Vulnerability
CVE-2015-0287: OpenSSL ASN.1 Structure Reuse Memory Corruption Vulnerability
CVE-2015-0289: OpenSSL PKCS7 NULL Pointer Dereference Denial of Service Vulnerability
CVE-2015-0292: OpenSSL Base64 Decoding Memory Corruption Vulnerability
CVE-2015-0293: OpenSSL SSLv2 CLIENT-MASTER-KEY Denial of Service Vulnerability 
CVE-2015-0209: OpenSSL Elliptic Curve d2i_ECPrivateKey Denial of Service Vulnerability
CVE-2015-0288: OpenSSL X.509 to PKCS#10 Denial of Service Vulnerability

The following six vulnerabilities do not affect any Cisco products:

CVE-2015-0291: OpenSSL ClientHello sigalgs Denial of Service Vulnerability
CVE-2015-0290: OpenSSL Multiblock Denial of Service Vulnerability 
CVE-2015-0207: OpenSSL DTLSv1_listen SSL Object Corruption Denial of Service Vulnerability
CVE-2015-0208: OpenSSL Invalid Probabilistic Signature Scheme Parameters Denial of Service Vulnerability 
CVE-2015-1787: OpenSSL Empty ClientKeyExchange Denial of Service Vulnerability 
CVE-2015-0285: OpenSSL Handshake with Unseeded PRNG Predictable Value Vulnerability 

This advisory will be updated as additional information becomes available.

Cisco will release software updates that address these vulnerabilities.

Workarounds that mitigate these vulnerabilities may be available.

This advisory is available at the following link:

Leave a Reply