Back to list
Cisco Security Advisory: Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: September 2016
Sep 27 2016 11:22PM
Cisco Systems Product Security Incident Response Team (psirt cisco com)
-----BEGIN PGP SIGNED MESSAGE-----
Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: September 2016
Advisory ID: cisco-sa-20160927-openssl
For Public Release 2016 September 27 22:40 UTC (GMT)
On September 22, 2016, the OpenSSL Software Foundation released an advisory that describes 14 vulnerabilities. Of these 14 vulnerabilities, the OpenSSL Software Foundation classifies one as â??Critical Severity,â? one as â??Moderate Severity,â? and the other 12 as â??Low Severity.â?
Subsequently, on September 26, the OpenSSL Software Foundation released an additional advisory that describes two new vulnerabilities. These vulnerabilities affect the OpenSSL versions that were released to address the vulnerabilities disclosed in the previous advisory. One of the new vulnerabilities was rated as â??High Severityâ? and the other as â??Moderate Severity.â?
Of the 16 released vulnerabilities:
Fourteen track issues that could result in a denial of service (DoS) condition
One (CVE-2016-2183, aka SWEET32) tracks an implementation of a Birthday attack against Transport Layer Security (TLS) block ciphers that use a 64-bit block size that could result in loss of confidentiality
One (CVE-2016-2178) is a timing side-channel attack that, in specific circumstances, could allow an attacker to derive the private DSA key that belongs to another user or service running on the same system
Five of the 16 vulnerabilities affect exclusively the recently released OpenSSL versions that belong to the 1.1.0 code train, which has not yet been integrated into any Cisco product.
This advisory is available at the following link:
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (SunOS)
-----END PGP SIGNATURE-----
[ reply ]
Copyright 2010, SecurityFocus