-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Reference: CERT-EU Security Advisory 2014-054 Title: Multiple Vulnerabilities in OpenSSL Affecting Cisco Products [1] Version history: 10.06.2014 Initial publication Summary ======= Multiple Cisco products incorporate a version of the OpenSSL package affected by one or more vulnerabilities that could allow an unauthenticated, remote attacker to execute arbitrary code, create a denial of service (DoS) condition, or perform a man-in-the-middle attack. On June 5, 2014 the OpenSSL Project released a security advisory detailing seven distinct vulnerabilities. The vulnerabilities are referenced in this document as follows: SSL/TLS Man-in-the-Middle Vulnerability DTLS Recursion Flaw Vulnerability DTLS Invalid Fragment Vulnerability SSL_MODE_RELEASE_BUFFERS NULL Pointer Dereference Vulnerability SSL_MODE_RELEASE_BUFFERS Session Injection or Denial of Service Vulnerability Anonymous ECDH Denial of Service Vulnerability ECDSA NONCE Side-Channel Recovery Attack Vulnerability Please note that the devices that are affected by this vulnerability are the devices acting as a Secure Sockets Layer (SSL) or Datagram Transport Layer Security (DTLS) server terminating SSL or DTLS connections or devices acting as an SSL client initiating an SSL or DTLS connection. Devices that are simply traversed by SSL or DTLS traffic without terminating it are not affected. This advisory will be updated as additional information becomes available. Cisco will release free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities may be available. CVE numbers: CVE-2014-0224, CVE-2014-0221, CVE-2014-0195, CVE-2014-0198, CVE-2010-5298, CVE-2014-3470, CVE-2014-0076 Vulnerable systems ================== All Cisco product depending on vulnerable versions of the openSSL library are affected, check the list in the original advisory [1]. What can you do? ================ There are patches in the original advisory. [1] What to tell your users? ======================== N/A More information ================ [1] http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140605-openssl Best regards, CERT-EU (http://cert.europa.eu) Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu PGP KeyID 0x46AC4383 FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iQIcBAEBAgAGBQJTlv4MAAoJEPpzpNLI8SVoKLoP/2dE60O/XpURmZxcVL0GntwP Zc16B101L1fZRmcELEmJk7aZgNMHaUp8dbagW2h/2HxAfC6f38NIT+Oti/dFRaex ssQ2KcGV57M9ygny5HIdVJsycfxjlrRexdAgDHXGNAE6HbFAS5UeroZez7wEAcvf Ri1js9o/KKvVdgF3fCmZUW9WYyyrVrsyV0j4Ub/vU9bZ6IMWtQKU0Qb1wVaZduhF VrABcWJ7leJe/rJsYm8G1562sHvdV3rt+n7i1NoCjPb2wolw28NKIPa0f9uEcNFq fm0Jv3yAZZoWkc0/Cc3LoQHFw8XouEKkY8DjtyWVxNZqhi+yXl6W2GrhGW1oLdO/ PW5TQmqN83X/jvRAhRXoxn20U9zG8syrANFKYFbjwWpgSkHW8H47IvGeuhI6PzfT Oo2wLlI/qpIRU8gtNzxWthscArc7t2hiJHKDf+ZweQ2jXCAOr7wp2yiz0yT0WCg2 TrVfoTPLJwpFvbTyTfzTvdAXHBBw6n1k3lD896VexvXiJoG2uiC8vFiXYDdbu4Q9 4ssZ9K5xJ8NQH2IONM61jTeAdqfeMB9VTVFUKeg/D3jBHtlwYHLA12mZi4XWB32m ThFA3iNtPMx/qdvShjz6+O6cgP7lkqeUlhPQqpxGD87Nehhm01BwaU+d1vAw8WIm 1nK5PJwcwuY8fiMotL8V =Xe6u -----END PGP SIGNATURE-----