CISCO Alert - Multiple Vulnerabilities in OpenSSL

Multiple Vulnerabilities in OpenSSL Affecting Cisco Products (26.1.2015)

Multiple Cisco products incorporate a version of the OpenSSL package affected by one or more vulnerabilities that could allow an unauthenticated, remote attacker to execute arbitrary code, create a denial of service (DoS) condition, or perform a man-in-the-middle attack. On June 5, 2014, the OpenSSL Project released a security advisory detailing seven distinct vulnerabilities. 

The vulnerabilities are referenced in this document as follows:

SSL/TLS Man-in-the-Middle Vulnerability
DTLS Recursion Flaw Vulnerability
DTLS Invalid Fragment Vulnerability
SSL_MODE_RELEASE_BUFFERS NULL Pointer Dereference Vulnerability
SSL_MODE_RELEASE_BUFFERS Session Injection or Denial of Service Vulnerability
Anonymous ECDH Denial of Service Vulnerability
ECDSA NONCE Side-Channel Recovery Attack Vulnerability

Please note that the devices that are affected by this vulnerability are the devices acting as a Secure Sockets Layer (SSL) or Datagram Transport Layer Security (DTLS) server terminating SSL or DTLS connections or devices acting as an SSL client initiating an SSL or DTLS connection. Devices that are simply traversed by SSL or DTLS traffic without terminating it are not affected.

Read More