Guest

Preview Tool

Cisco Bug: CSCus42901 - JANUARY 2015 OpenSSL Vulnerabilities

Last Modified

Jun 02, 2017

Products (1)

  • Cisco ASA 5500-X Series Firewalls

Known Affected Releases

8.2 8.7(1) 9.2(1) 9.3(2) 9.3(2.200) 9.4(1) 99.1

Description (partial)

Symptom: The following Cisco products Cisco Adaptive Security Appliance (ASA) Software v8.0 and later, including: 
      7.2.1 - 7.2.5.15,
      8.0.2 - 8.0.5.39,
      8.1.1 - 8.1.2.56,
      8.2.1 - 8.2.5.52,
      8.3.1 - 8.3.2.42,
      8.4.1 - 8.4.7.25,
      8.5.1 - 8.5.1.22,
      8.6.1 - 8.6.1.15,
      8.7.1 - 8.7.1.14,
      9.0.1 - 9.0.4.28,
      9.1.1 - 9.1.5.21, 
      9.2.1 - 9.2.3, and
      9.3.1 - 9.3.2.2
  
include a version of OpenSSL that could be affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs:
  
  CVE-2014-3570 - Bignum squaring may produce incorrect results
  CVE-2015-0204 - RSA silently downgrades to EXPORT_RSA [Client]
  CVE-2015-0206 - DTLS memory leak in dtls1_buffer_record
 
Cisco has analyzed the following vulnerabilities and concluded that the previously listed products are not impacted:
 
  CVE-2014-3569 - no-ssl3 configuration sets method to NULL
  CVE-2014-3571 - DTLS segmentation fault in dtls1_get_record
  CVE-2014-3572 - ECDHE silently downgrades to ECDH [Client]
  CVE-2014-8275 - Certificate fingerprints can be modified
  CVE-2015-0205 - DH client certificates accepted without verification [Server]
   
Due to End of Life, this bug will not be fixed in the 8.0 and 8.1 code trains.  Cisco recommends that customers upgrade to a fixed release.
Conditions:The Cisco Adaptive Security Appliance (ASA) running all software versions is vulnerable to 
CVE-2014-3570 - Bignum squaring may produce incorrect results, however, there is no known exploit for this.
 
The Cisco Adaptive Security Appliance (ASA) running all software versions is vulnerable to CVE-2015-0204 - RSA silently downgrades to EXPORT_RSA [Client] when the ASA acts as a client (clientless, TLS proxy, and other cases).
 
The Cisco Adaptive Security Appliance (ASA) running software version 9.2.x or later is vulnerable to CVE-2015-0206 - DTLS memory leak in dtls1_buffer_record.
 
Configurations:
  
  CVE-2015-0206 device will have to be configured for DTLS.
  DTLS is used for AnyConnect SSL VPN. If it is configured, DTLS is enabled by default. It may be disabled explicitly if needed in the group-policy
  
  CVE-2015-0204 ASA configured to acts as a SSL/TLS client.  Features include:
  Clientless (Webvpn), TLS Proxy, Cut-thru proxy, LDAP over SSL, Smart call home, Smart Licensing, IFS (copy https://) and Clustering use SSL in  client mode
  
  CVE-2014-3570 no known exploit vectors.
  
  This is is resolved in 9.1.6 and later.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.