Cisco Security AdvisoryMedium
Advisory ID:
Cisco-SA-20141211-CVE-2014-8730
First Published:
2014 December 11 19:21 GMT
Last Updated:
2015 September 30 14:00 GMT
Version 5.0:
Workarounds:
Cisco Bug IDs:
CVSS Score:
Base 4.3,
Temporal 4.1
Click Icon to Copy Verbose Score
AV:N/AC:M/Au:N/C:P/I:N/A:N/E:F/RL:U/RC:C
Click Icon to Copy Verbose Score
AV:N/AC:M/Au:N/C:P/I:N/A:N/E:F/RL:U/RC:C
-
A vulnerability in certain implementations of the TLSv1 protocol could allow an unauthenticated, remote attacker to access sensitive information.
The vulnerability is due to improper block cipher padding implemented in TLSv1 when using Cipher Block Chaining (CBC) mode. An attacker could exploit the vulnerability to perform an "oracle padding" side channel attack on the cryptographic message. A successful exploit could allow the attacker to access sensitive information.
Consult the bug release note for additional information about affected products and configurations.
F5 Networks has confirmed the vulnerability in a security advisory and released software updates.
Attacks exploiting this vulnerability are identified as Padding Oracle On Downgraded Legacy Encryption (POODLE) attacks, which could be used to disclose HTTP cookies or other HTTP authorization content that is being transmitted over an TLSv1.x secure session. This issue should not be confused with CVE-2014-3566, as described in Cisco Alert 36084.
It should be noted that oracle does not refer to the software company of the same name, but to a term used in cryptography.
To exploit the vulnerability, the attacker may require access to a trusted, internal network to perform man-in-the-middle attacks on a targeted system. This access requirement limits the likelihood of a successful exploit.
-
F5 Networks has released a security advisory at the following link: sol15882: TLS1.x padding vulnerability CVE-2014-8730
Cisco has released a security notice for Cisco bug IDs CSCus08101, CSCus09311, CSCus17354, CSCus94884, and CSCus17986 at the following link: CVE-2014-8730
HP has released a security bulletin at the following link: HPSBPV03516 SSRT102263
IBM has released a security bulletin at the following link: swg21692906Vulnerable Products
F5 Networks has published a list of affected software releases in the security advisory. The Vendor Announcements section of this alert contains a link to the advisory.Products Confirmed Not Vulnerable
No other Cisco products are currently known to be affected by these vulnerabilities.
-
Administrators are advised to apply the appropriate updates.
Administrators and developers are advised to configure applications to require a minimum of TLS 1.2 with an AEAD cipher for secure communication.
Administrators are advised to allow only trusted users to have network access.
Administrators may consider using IP-based access control lists (ACLs) to allow only trusted systems to access the affected systems.
Administrators are advised to apply Snort SID 32758 to help prevent attacks that attempt to exploit the vulnerability.
Administrators are advised to monitor affected systems.
-
F5 Networks has released software updates for registered users at the following link: hotfix releases
Cisco customers with active contracts can obtain updates through the Software Center at the following link: Cisco. Cisco customers without contracts can obtain upgrades by contacting the Cisco Technical Assistance Center at 1-800-553-2447 or 1-408-526-7209 or via email at tac@cisco.com.
HP has advised customers to follow the steps in the "Resolution" section of the HP security bulletin.
IBM has advised customers to follow the remediation steps in the IBM security bulletin to mitigate this vulnerability.
-
The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Show LessVersion Description Section Status Date 4.0 Cisco has released software and fix information for additional products affected by the SSL-TLS implementations Cipher Block Chaining padding information disclosure vulnerability. NA Final 2015-May-29 3.0 IBM has released a security bulletin and fixes to address the SSL-TLS implementations Cipher Block Chaining padding information disclosure vulnerability. NA Final 2014-Dec-26 2.0 IntelliShield has updated this alert to include Snort signature information. Cisco has released a security notice to address the SSL-TLS implementations Cipher Block Chaining padding information disclosure vulnerability. NA Final 2014-Dec-17
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.