Sunday, October 19, 2014

Poodle : New SSL 3.0 Bug (CVE-2014-3566)

Oct 14 2014, this bug CVE_2014-3566 has been found as a subtle but significant security weakness in version 3 of the SSL protocol. Severity level is Medium. Basically this vulnerability is not critical as Shellshock and Heartbleed

The vendors's Recommendations: 

1. Check Point response to the POODLE Bites vulnerability (CVE-2014-3566)

a. Check Point Customers

  • Check Point products are not vulnerable to the “POODLE Bites” vulnerability (CVE-2014-3566). See our Security Alert: sk102989
  • Implement the IPS protection, CPAI-2014-1909, to detect or block the use of SSL 3.0
  • Configure Multi Portal, HTTPS Inspection, and Check Point OS to prevent web browser use of SSL 3.0

b. Non Check Point Customers

  • Use Active Directory Group Policy Objects to disable the use of SSL 3.0
  • Update your browser when a patch is available
  • Disable SSL 3.0 in your clients and servers
  • Test if your browser is vulnerable at www.poodletest.com
  • Test if a particular domain name is vulnerable at www.poodlescan.com

2. Juniper Responding:

a. Junos:

Junos OS will update OpenSSL to add support for SSL 3.0 Fallback protection (TLS_FALLBACK_SCSV) in a future release.

Connect Secure (SA / SSL VPN) / Policy Secure (IC / UAC), MAG Series:
Please refer to Pulse Secure TSB16540 for details on mitigating risk from this vulnerability.

b. ScreenOS:

A problem report has been submitted.  Development is in the process of evaluating the best method to resolve this issue.

c. Junos Space:

Disable SSLv3 by changing the following files.

/etc/httpd/conf.d/webProxy.conf
/etc/httpd/conf.d/ssl.conf
/etc/httpd/conf.d/webConf/webProxyCertAuth.conf

The following line needs to be updated to remove references to SSLv3:

Original:
SSLProtocol -ALL +SSLv3 +TLSv1

Updated:
SSLProtocol -ALL +TLSv1

Restart httpd by typing 'service httpd restart'.

A future release of Junos Space will disable SSLv3 by default.

d. STRM/JSA Series:

Development is working on a patch to resolve this issue.

e. NSM3000/NSMXpress:

Edit /etc/httpd/conf/ssl.conf and change the SSLProtocol entry to:
SSLProtocol all -SSLv2 -SSLv3

f. IDP Signature:

Juniper has released signature SSL:AUDIT:SSL-V3-TRAFFIC in Sigpack 2430 to detect SSLv3 traffic.

3. Cisco Event Response: POODLE Vulnerability:

Details are in Cisco Page : 

 Vulnerable Products

Customers interested in tracking the progress of any of the following bugs can visit the Cisco Bug Search Tool to view the defect details and optionally select Save Bug and activate the Email Notification feature to receive automatic notifications when the bug is updated.

Products and services listed in the subsections below have had their exposure to this vulnerability confirmed. Additional products will be added to these sections as the investigation continues.
Collaboration and Social Media
Endpoint Clients and Client Software
Network Application, Service, and Acceleration
  • Cisco ACE 4710 Application Control Engine (A5) [CSCur27691]
  • Cisco ACE10 / ACE20 / 4710 (A3x) [CSCur27985]
  • Cisco ACE30 Application Control Engine Module [CSCur23683]
  • Cisco CSS 11500 Series Content Security Switch [CSCur27999]
Network and Content Security Devices
  • Cisco Adaptive Security Appliance (ASA) Software [CSCur23709]
  • Cisco Email Security Appliance (ESA) [CSCur27131]
  • Cisco Intrusion Prevention System Solutions (IPS) [CSCur29000]
  • Cisco Prime Security Manager (PRSM) [CSCur29172]
Network Management and Provisioning
Routing and Switching - Enterprise and Service Provider
  • Cisco Application Policy Infrastructure Controller (ACI/APIC) [CSCur28110]
  • Cisco IOS and Cisco IOS-XE (IOSd only) [CSCur23656]
  • Cisco Nexus 3000 Series Switches [CSCur28178]
  • Cisco Nexus 9000 (ACI/Fabric Switch) [CSCur28114]
  • Cisco Nexus 9000 Series (standalone, running NxOS) [CSCur28092]
Unified Computing
Voice and Unified Communications Devices
  • Cisco IM and Presence Service (CUPS) [CSCur33203]
  • Cisco Unified Communications Manager (CUCM) [CSCur23720]
Video, Streaming, TelePresence, and Transcoding Devices
  • Cisco TelePresence Advanced Media Gateway 3610 [CSCur33286]
  • Cisco TelePresence IP Gateway Series [CSCur33289]
  • Cisco TelePresence IP VCR Series [CSCur33294]
  • Cisco TelePresence ISDN Gateway [CSCur33282]
  • Cisco TelePresence MCU (8510, 8420, 4200, 4500 and 5300) [CSCur33260]
  • Cisco TelePresence MSE 8050 Supervisor [CSCur33267]
  • Cisco TelePresence Serial Gateway Series [CSCur33297]
  • Cisco TelePresence Server 8710, 7010 [CSCur33274]
  • Cisco TelePresence Server on Multiparty Media 310, 320 [CSCur33274]
  • Cisco TelePresence Server on Virtual Machine [CSCur33274]
  • Cisco TelePresence Video Communication Server [CSCur23698]
Wireless
  • Cisco Wireless LAN Controller (WLC) [CSCur27551]
Cisco Hosted Services

4. Other Vendors

Apple has released a security update at the following link:Security Update 2014-005

Asterisk has released a security advisory at the following link:AST-2014-011

BlackBerry has released a security notice at the following link: KB36397

FreeBSD has released a VuXML document at the following link: OpenSSL -- multiple vulnerabilities


Microsoft has released a security advisory at the following link: 3009008

OpenSSL has released a security advisory at the following link: secadv_20141015

Oracle has released a security advisory at the following link:Cryptographic Issues vulnerability

Red Hat has released a CVE statement and security advisories for bug ID 1152789 at the following links: CVE-2014-3566RHSA-2014:1653, and RHSA-2014:1652


References:

a.  Check Point response to the POODLE Bites vulnerability (CVE-2014-3566)

No comments:

Post a Comment