Threat Summary: June 6, 2014
This information has been produced in reference to the recent OpenSSL vulnerabilities that have been made public at openssl.com.
Event Intelligence
The following Cisco content is associated with this Event Response Page:
Cisco Security Advisory: Multiple Vulnerabilities in OpenSSL Affecting Cisco Products
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140605-openssl
Cisco IntelliShield Alert: OpenSSL SSL/TLS Handshake Processing Weak Encryption Usage Information Disclosure Vulnerability
https://sec.cloudapps.cisco.com/security/center/viewAlert.x?alertId=34548
Cisco IntelliShield Alert: OpenSSL DTLS Handshake Processing Recursion Denial of Service Vulnerability
https://sec.cloudapps.cisco.com/security/center/viewAlert.x?alertId=34547
Cisco IntelliShield Alert: OpenSSL DTLS Fragment Processing Buffer Overflow Vulnerability
https://sec.cloudapps.cisco.com/security/center/viewAlert.x?alertId=34546
Cisco IntelliShield Alert: OpenSSL TLS Client ECDH Ciphersuite Denial of Service Vulnerability
https://sec.cloudapps.cisco.com/security/center/viewAlert.x?alertId=34549
Cisco Security Blog Posts
http://blogs.cisco.com/security/a-collection-of-cryptographic-vulnerabilities/
The OpenSSL SSL/TLS Handshake Processing Weak Encryption Usage Information Disclosure Vulnerability has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2014-0224.
The vulnerability is due to weak cryptographic keys that could be determined by an attacker. An unauthenticated, remote attacker could exploit this vulnerability by sending a crafted handshake packet to a targeted system. If successful, the attacker could perform a man-in-the-middle attack against a targeted system.
The OpenSSL DTLS Fragment Processing Buffer Overflow Vulnerability has been assigned CVE ID CVE-2014-0195.
The vulnerability is due to improper handling of Datagram Transport Layer Security (DTLS) fragments by a system running the affected application. An unauthenticated, remote attacker could exploit this vulnerability by sending crafted DTLS fragments to a targeted system. A successful exploit could cause a buffer overrun condition that the attacker could use to execute arbitrary code on the system.
The OpenSSL DTLS Handshake Processing Recursion Denial of Service Vulnerability has been assigned CVE ID CVE-2014-0221.
The vulnerability is due to improper handling of certain DTLS ServerHello requests by a system running the affected application. An unauthenticated, remote attacker could exploit this vulnerability by sending a crafted DTLS handshake request to a targeted system. A successful exploit could cause the affected application to recurse and crash, resulting in a denial of service (DoS) condition.
The OpenSSL TLS Client ECDH Ciphersuite Denial of Service Vulnerability has been assigned CVE ID CVE-2014-3470.
The vulnerability is due to way the affected software performs an anonymous Elliptic Curve Diffie-Hellman (ECDH) key exchange. An unauthenticated, remote attacker could exploit this vulnerability by sending a crafted handshake packet to a targeted system. A successful exploit could cause the affected application to crash, resulting in a DoS condition.
Three additional previously disclosed vulnerabilities are also mentioned in the OpenSSL bulletin:
- CVE-2014-0198 SSL_MODE_RELEASE_BUFFERS NULL pointer dereference
- CVE-2010-5298 SSL_MODE_RELEASE_BUFFERS session injection or denial of service
- CVE-2014-0076 ECDSA NONCE Side-Channel Recovery Attack Vulnerability
OpenSSL has confirmed these vulnerabilities and released software updates.
The Cisco Product Security Incident Response Team (PSIRT) is currently investigating which Cisco products are affected by these vulnerabilities. Cisco Security Advisory Multiple Vulnerabilities in OpenSSL Affecting Cisco Products was published and includes information on vulnerable products and products confirmed not vulnerable. The advisory will be updated as additional information about other products becomes available. Cisco will release free software updates that address these vulnerabilities. Any updates specifically related to Cisco products will be communicated according to the Cisco Security Vulnerability Policy.
The Cisco Computer Security Incident Response Team (CSIRT) is investigating Cisco public-facing infrastructure that could be susceptible to this vulnerability to facilitate its remediation.
Effective use of Cisco Next-Generation Intrusion Prevention System (NGIPS) event actions provides visibility into and protection against attacks that attempt to exploit one of these vulnerabilities. The Cisco Sourcefire Snort SIDs for CVE-2014-3470 are 30790 through 30793. The Cisco Sourcefire Snort SIDs for CVE-2014-0221 are 31180 and 31181. The VRT also wrote signatures 30520 through 30523 for exploit attempts against OpenSSL clients.
Vulnerability Note VU#720951 http://www.kb.cert.org/vuls/id/978508
OpenSSL news https://www.openssl.org/news/secadv_20140605.txt
This document is part of the Cisco Security portal. Cisco provides the official information contained on the Cisco Security portal in English only.
This document is provided on an “as is” basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information in the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document without notice at any time.