Multiple Vulnerabilities in Cisco TelePresence Video Communication Server and Cisco Expressway Software
Multiple Vulnerabilities in Cisco TelePresence Video Communication Server and Cisco Expressway Software
Advisory ID: cisco-sa-20141015-vcs
Cisco TelePresence Video Communication Server (VCS) and Cisco Expressway Software includes the following vulnerabilities:
• Cisco TelePresence VCS and Cisco Expressway Crafted Packets Denial of Service Vulnerability
• Cisco TelePresence VCS and Cisco Expressway SIP IX Filter Denial of Service Vulnerability
• Cisco TelePresence VCS and Cisco Expressway SIP Denial of Service Vulnerability
Succesfull exploitation of any of these vulnerabilities could allow an unauthenticated, remote attacker to cause a reload of the affected system, which may result in a Denial of Service (DoS) condition.
Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are not available. This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141015-vcs
Note: This security advisory does not provide information about the GNU Bash Environment Variable Command Injection Vulnerability (also known as Shellshock). For additional information regarding Cisco products affected by this vulnerability, refer to the Cisco Security Advisory at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash
POODLE: Turning off SSLv3 for various servers and client.
Before you start: While adjusting your SSL configuration, you should also check for various other SSL related configuration options. A good outline can be found at http://bettercrypto.org as well as at http://ssllabs.com (for web servers in particular)
Here are some configuration directives to turn off SSLv3 support on servers:
Apache: Add -SSLv3 to the "SSLProtocol" line. It should already contain -SSLv2 unless you list specific protocols.
nginx: list specific allowed protocols in the "ssl_protocols" line. Make sure SSLv2 and SSLv3 is not listed. For example: ssl_protocols TLSv2 TLSv1.1 TLSv1.2;
Postfix: Disable SSLv3 support in the smtpd_tls_manadatory_protocols configuration line. For example: smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3
Dovecot: similar, disable SSLv2 and SSLv3 in the ssl_protocols line. For example: ssl_protocols = !SSLv2 !SSLv3
HAProxy Server: the bind configuration line should include no-sslv3 (this line also lists allowed ciphers)
puppet: see https://github.com/stephenrjohnson/puppetmodule/commit/1adb73f9a400cb5e91c4ece1c6166fd63004f448 for instructions
For clients, turning off SSLv3 can be a bit more tricky, or just impossible.
Google Chrome: you need to start Google Chrome with the "--ssl-version-min=tls1" option.
Internet Explorer: You can turn off SSLv3 support in the advanced internet option dialog.
Firefox: check the "security.tls.version.min" setting in about:config and set it to 1. Oddly enough, in our testing, the default setting of 0 will allow SSLv3 connections, but refuses to connect to our SSLv3 only server.
For Microsoft Windows, you can use group policies. For details see Microsoft's advisory: https://technet.microsoft.com/en-us/library/security/3009008.aspx
To test, continue to use our "POODLE Test" page at https://poodletest.com or the Qualys SSLLabs page at https://ssllabs.com
To detect the use of SSLv3, you can try the following filters:
tshark/wireshark display filters: ssl.handshake.version==0x0300
tcpdump filter: (1) accounting for variable TCP header length: 'tcp[((tcp[12]>>4)*4)+9:2]=0x0300'
(2) assuming TCP header length is 20: 'tcp[29:2]=0x0300'
We will also have a special webcast at 3pm ET. For details see
https://www.sans.org/webcasts/about-poodle-99032
the webcast will probably last 20-30 minutes and summarize the highlights of what we know so far.
OpenSSL Releases OpenSSL 1.0.1j, 1.0.0o and 0.9.8zc
This update to the OpenSSL Library addresses 4 vulnerabilities. One of these is the "POODLE" vulnerability announced yesterday.
CVE-2014-3513: A memory leak in parsing DTLS SRTP messages can lead to a denial of service. You are vulnerable, unless you specificly compiled your OpenSSL library with the "OPENSSL_NO_SRTP" option. All 1.0.1 versions of OpenSSL are affected.
CVE-2014-3567: Another memory leak that can lead to a DoS attack. In this case, memory is not free up if an SSL session ticket fails an integrity check. OpenSSL 0.9.8, 1.0.0 and 1.0.1 are affected.
CVE-2014-3566 (POODLE): OpenSSL now supports TLS_FALLBACK_SCSV to prevent a MitM from downgrading an SSL connection. This affects OpenSSL 1.0.1, 1.0.0 and 0.9.8.
CVE-2014-3568: The "no-ssl3" build option, which is intended to disable SSLv3, may actually not work as advertised. This one is of course particularly important if you try to disable SSLv3.
Also, OpenSSL 0.9.8 is now officially end-of-life. Don't expect any more patches for 0.9.8.
October 2014 Critical Patch Update Released
Oracle have released its critical patch update for October 2014, this series of patches will provide fixes for 154 vulnerabilities across a number of product families including: Oracle Database, Oracle Fusion Middleware, Oracle Enterprise Manager Grid Control, Oracle E-Business Suite, Oracle Supply Chain Product Suite, Oracle PeopleSoft Enterprise, Oracle JDEdwards EnterpriseOne, Oracle Communications Industry Suite, Oracle Retail Industry Suite, Oracle Health Sciences Industry Suite, Oracle Primavera, Oracle Java SE, Oracle and Sun Systems Product Suite, Oracle Linux and Virtualization, and Oracle MySQL.
For more details please refer to the following link:
http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html
Comments