Cisco Working to Fix POODLE Vulnerabilities

Wednesday, October 22, 2014 @ 12:10 PM gHale


Cisco published a list of solutions confirmed to be vulnerable to POODLE attacks.

POODLE is the Secure Sockets Layer (SSL) version 3 protocol flaw called Padding Oracle On Downgraded Legacy Encryption (POODLE).

RELATED STORIES
Apple Releases Security Patch
OpenSSL Fixes POODLE
POODLE Marks Rough End to SSL 3.0
Dropbox Not Hacked, Unrelated Services Were

Vulnerable products include Cisco Webex Social, Cisco AnyConnect, Cisco ACE, Cisco Standalone rack server CIMC, Cisco Wireless LAN Controller, Cisco Cloud Web Security, and various Cisco TelePresence devices.

Several network and content security devices, voice and communication devices, and routing and switching products are also vulnerable to POODLE attacks.

However, Cisco Adaptive Security Device Manager, Cisco Prime Data Center Network Manager and Cisco Webex Messenger Service do not suffer from the issue.

Cisco said some of its products end up affected by the vulnerability (CVE-2014-3566) because they use SSL 3.0 for features such as Web-based administration interfaces over HTTPS, SSL VPNs, file transfer over HTTPS, or Secure SIP.

“Current clients negotiate TLS by default, but they can fall back to SSLv3 if the negotiation to use TLS has failed. An attacker performing a man-in-the-middle attack could trigger a protocol downgrade to SSLv3 and exploit this vulnerability to decrypt a subset of the encrypted communication,” Cisco said in its advisory.

In order to be vulnerable to POODLE attacks, products must meet two criteria: They must support SSL 3.0, and a block cipher in CBC mode is one of the transform sets offered. Products that don’t support SSL 3.0, and where no block cipher in CBC mode is available in the transform set are not affected, Cisco said.

The company is working on developing patches for the products. In the meantime, customers that don’t require SSL 3.0 can disable the protocol to protect themselves. However, there are currently no workarounds for users requiring the functionality provided by SSL 3.0.



Leave a Reply

You must be logged in to post a comment.