Guest

Preview Tool

Cisco Bug: CSCut45979 - MARCH 2015 OpenSSL Vulnerabilities

Last Modified

Aug 03, 2017

Products (1)

  • Cisco IP Video Phone E20

Known Affected Releases

4.1.2

Description (partial)

-PSIRT
Symptoms:
This product includes a version of OpenSSL that is affected by the vulnerability identified by the Common Vulnerability and Exposures (CVE) IDs:

CVE-2015-0286, CVE-2015-0287, CVE-2015-0289, CVE-2015-0292, CVE-2015-0293, CVE-2015-0209, CVE-2015-0288

This bug has been opened to address the potential impact on this product.

Conditions:
1) If affected, which version of CiscoSSL or OpenSSL is in use?

OpenSSL-1.0.0q

2) Please list the specific product versions that are affected by this
vulnerability. Be as specific as possible.

All TE versions are affected

3) Please provide the fixed version and estimated time for release on CCO.

No fix is expected at this time

4) Fixed & Affected Versions:

Unknown

5) Free form - feel free to include any additional details or information that
can help a customer assess their vulnerability to this issue.

Since we are not based on OpenSSL-1.0.2, the following CVEs do not affect us:
   CVE-2015-0291, CVE-2015-0290, CVE-2015-0207, CVE-2015-0208,
   CVE-2015-1787, CVE-2015-0285

We are also not affected by:
   CVE-2015-0287: We don't use ASN.1 reuse
   CVE-2015-0289: We do not parse PKCS#7 structures
   CVE-2015-0293: We do not have any SSLv2 servers
   CVE-2015-0292: The system administrator can supply base64 encoded structures
we will parse, but since whatever the administrator supplies should be
considered trusted, we do not consider ourselves affected by this.
   CVE-2015-0209: CiscoSSL uses a separate EC implementation, so it is likely
this bug is not present there.  We also do not accept private keys from
untrusted sources, so we consider ourselves not affected.
   CVE-2015-0288: We do not use X509_to_X509_REQ()

We are affected by
   CVE-2015-0204: RSA downgrade attack if the server we connect to (which would
normally be the customer's provisioning server) supports RSA export suites.
   CVE-2015-0286: DoS attack when checking certificates
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.