Cisco Bug: CSCus42901 - JANUARY 2015 OpenSSL Vulnerabilities
Feb 16, 2018
- Cisco ASA 5500-X Series Firewalls
Known Affected Releases
8.2 8.7(1) 9.2(1) 9.3(2) 9.3(2.200) 9.4(1) 99.1
Symptom: The following Cisco products Cisco Adaptive Security Appliance (ASA) Software v8.0 and later, including: 7.2.1 - 22.214.171.124, 8.0.2 - 126.96.36.199, 8.1.1 - 188.8.131.52, 8.2.1 - 184.108.40.206, 8.3.1 - 220.127.116.11, 8.4.1 - 18.104.22.168, 8.5.1 - 22.214.171.124, 8.6.1 - 126.96.36.199, 8.7.1 - 188.8.131.52, 9.0.1 - 184.108.40.206, 9.1.1 - 220.127.116.11, 9.2.1 - 9.2.3, and 9.3.1 - 18.104.22.168 include a version of OpenSSL that could be affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2014-3570 - Bignum squaring may produce incorrect results CVE-2015-0204 - RSA silently downgrades to EXPORT_RSA [Client] CVE-2015-0206 - DTLS memory leak in dtls1_buffer_record Cisco has analyzed the following vulnerabilities and concluded that the previously listed products are not impacted: CVE-2014-3569 - no-ssl3 configuration sets method to NULL CVE-2014-3571 - DTLS segmentation fault in dtls1_get_record CVE-2014-3572 - ECDHE silently downgrades to ECDH [Client] CVE-2014-8275 - Certificate fingerprints can be modified CVE-2015-0205 - DH client certificates accepted without verification [Server] Due to End of Life, this bug will not be fixed in the 8.0 and 8.1 code trains. Cisco recommends that customers upgrade to a fixed release. Conditions:The Cisco Adaptive Security Appliance (ASA) running all software versions is vulnerable to CVE-2014-3570 - Bignum squaring may produce incorrect results, however, there is no known exploit for this. The Cisco Adaptive Security Appliance (ASA) running all software versions is vulnerable to CVE-2015-0204 - RSA silently downgrades to EXPORT_RSA [Client] when the ASA acts as a client (clientless, TLS proxy, and other cases). The Cisco Adaptive Security Appliance (ASA) running software version 9.2.x or later is vulnerable to CVE-2015-0206 - DTLS memory leak in dtls1_buffer_record. Configurations: CVE-2015-0206 device will have to be configured for DTLS. DTLS is used for AnyConnect SSL VPN. If it is configured, DTLS is enabled by default. It may be disabled explicitly if needed in the group-policy CVE-2015-0204 ASA configured to acts as a SSL/TLS client. Features include: Clientless (Webvpn), TLS Proxy, Cut-thru proxy, LDAP over SSL, Smart call home, Smart Licensing, IFS (copy https://) and Clustering use SSL in client mode CVE-2014-3570 no known exploit vectors. This is is resolved in 9.1.6 and later.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases