Guest

Preview Tool

Cisco Bug: CSCup22663 - Multiple Vulnerabilities in OpenSSL - June 2014

Last Modified

Feb 22, 2018

Products (1)

  • Cisco Nexus 5000 Series Switches

Known Affected Releases

6.0(2)N3(0.91) 7.2(0)VX(0.9) 7.2(0.1)PR(0.1) 9.4(1)N1(6.8)

Description (partial)

Symptom:
The following Cisco products

  Cisco Nexus 5000 Series of switches
  Cisco Nexus 6000 Series of switches
  Cisco Nexus 5600 Series of switches
  Cisco Nexus 2000 Series of switches

include a version of openssl that is affected by the vulnerabilities identified by the Common Vulnerability and Exposures (CVE) IDs:

CVE-2014-0076 - Fix for the attack described in the paper "Recovering OpenSSL ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
CVE-2014-0224 - SSL/TLS MITM vulnerability
CVE-2014-3470 - Anonymous ECDH denial of service

This bug has been opened to address the potential impact on this product.

Conditions:
Following applications Utilize the  OpenSSL library packaged with NX-OS

		1)	 Fabric Management feature in N5K uses XMPP protocol to talk to XMPP servers. This internally uses openssl library. If the customer network uses  Fabric Management feature, the network is vulnerable to above issues.

		         Configuration :
			     switch(config)# feature fabric access
				 
		2)	If the customer n/w has Vinci DFA autoconfig feature, it uses openssl to contact LDAP server. and network is vulnerable to security

		        Configuration :
			    switch(config)# fabric database type network
				  server protocol ldap {ip <server ip>} | {host <server host name>}
					db-table ou=networks,dc=cisco,dc=com key-type 1

				fabric database type profile
				  server protocol ldap {ip <server ip>} | {host <server host name>}
					db-table ou=profilesIPFabric,dc=cisco,dc=com

				fabric database type partition
				  server protocol ldap {ip <server ip>} | {host <server host name>}
					db-table ou=partitions,dc=cisco,dc=com

		3)	Vmtracker - N5k/n6k uses this application to connect to "Vmware Vcenter". If customer uses this feature in the network, then the network is    vulnerable. 

		        Configuration :
			   switch(config)# feature vmtracker  

		4)	ONE PK for open routing APIs uses SSL for communication thus network is vulnerable to security

		        Configuration :
			   switch(config)# onep
			   switch(config-onep)# ?
				  datapath   One Platform datapath
				  history    One Platform history trails
				  logging    One Platform logging
				  no         Negate a command or set its defaults
				  service    ONEP service set
				  session    One Platform session
				  transport  Transport command
				  end        Go to exec mode
				  exit       Exit from command interpreter
				  pop        Pop mode from stack or restore from name
				  push       Push current mode to stack or save it under name
				  where      Shows the cli context you are in

Related Community Discussions

Nexus 6004 upgrade nightmare
I have now had 2 weekends ruined by a botched ISSU upgrade on 2 pairs of nexus 6004.  We are going from 6.0.2.N2.2 to 7.0.5.N!.1 and each time I encountered a bug.  Last week it was an igmp snooping bug.  Turn off igmp snooping and it will be fine.  So this week I did that and no, it wasnt fine.  I hit a new bug regarding sending BPDUs down dual sided VPCs (ouch).  Thank you very much.  Has anyone else had these kinds of problems with ISSU upgrades?  Im have done 15 pairs of 5ks in the last 2 months...the ...
Latest activity: Apr 19, 2015
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.