[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Cisco Security Advisory: Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: September 2016

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Cisco Security Advisory: Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: September 2016
From: Cisco Systems Product Security Incident Response Team <psirt@xxxxxxxxx>
Date: Wed, 28 Sep 2016 01:22:30 +0200

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: September 2016 

Advisory ID: cisco-sa-20160927-openssl

Revision: 1.0

For Public Release 2016 September 27 22:40 UTC (GMT)

+---------------------------------------------------------------------

Summary
=======


On September 22, 2016, the OpenSSL Software Foundation released an advisory 
that describes 14 vulnerabilities. Of these 14 vulnerabilities, the OpenSSL 
Software Foundation classifies one as â??Critical Severity,â?? one as 
â??Moderate Severity,â?? and the other 12 as â??Low Severity.â??

Subsequently, on September 26, the OpenSSL Software Foundation released an 
additional advisory that describes two new vulnerabilities. These 
vulnerabilities affect the OpenSSL versions that were released to address the 
vulnerabilities disclosed in the previous advisory. One of the new 
vulnerabilities was rated as â??High Severityâ?? and the other as â??Moderate 
Severity.â??

Of the 16 released vulnerabilities:
    Fourteen track issues that could result in a denial of service (DoS) 
condition
    One (CVE-2016-2183, aka SWEET32) tracks an implementation of a Birthday 
attack against Transport Layer Security (TLS) block ciphers that use a 64-bit 
block size that could result in loss of confidentiality
    One (CVE-2016-2178) is a timing side-channel attack that, in specific 
circumstances, could allow an attacker to derive the private DSA key that 
belongs to another user or service running on the same system

Five of the 16 vulnerabilities affect exclusively the recently released OpenSSL 
versions that belong to the 1.1.0 code train, which has not yet been integrated 
into any Cisco product.

This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160927-openssl


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (SunOS)

iQIVAwUBV+r9R689gD3EAJB5AQIs2g//TXbk+qIT/kKxt/MJOUQLkID2tdWZr8Ls
2vcQm5EI8HKr+qSFih3/jyRl5A4LSZsZjQPIo6IxpGKtFLBleBH89l+4rh5D9Hit
/hpQGgIXt57yUug6vHqZiU/zh65pifVCOqvu2E7Gy6pd530AqLhRjK5IKND4GFaW
M2QPwrM2DYchWBuFIA7/r63HFQneaZqzHfR/wA1hhcvWUkDR9h9DaLbX15vG7CHI
J1rAgywVeLOMN7VjDwadvtNfDECnLYeSP91380oL6dB4zyeO18YoHHHYuFTphRSb
umz2zdU8Ku6QBXnUvJjAW3QtzvPX3scjXOgeJqHMLK+38tPkoHZvQeGRfGNmKDEQ
0fA1xFQLlRtetjKGC0L74IjdUXklvyTuGbn5P5CP+vBTLaWCcc/rqfY67NfNtIqp
SKz+9UtprxAlLN3BKkCSzIiKS3BDokbOEORHCEYEmbYkwUNVp0KEXKgAgNlFO/BS
yaL+CDxxiRdbnFixUcG8/xQj584xwOm/cp1u8otySYfSd70oTMqP11VXh+WB+6hT
zHhSMOvLzpLeM++m121ojARIXbXTQLGziLHaRSi8WH+OuB6rceic0f0HwLlBCRlk
LFxQunW2EawYlJGV5Czld4vdoHBSDGcP8bOg9M4LUtA+sKCGpgrTPombG98mhuut
7i2jUMZa7K8=
=KS16
-----END PGP SIGNATURE-----

Prev by Date: [slackware-security] bind (SSA:2016-271-01)
Next by Date: Multiple vulnerabilities found in the Dlink DWR-932B (backdoor, backdoor accounts, weak WPS, RCE ...)
Previous by thread: [slackware-security] bind (SSA:2016-271-01)
Next by thread: Multiple vulnerabilities found in the Dlink DWR-932B (backdoor, backdoor accounts, weak WPS, RCE ...)
Index(es):
- Date
- Thread