Guest

Preview Tool

Cisco Bug: CSCvs54375 - CVE-2015-4000 found on UCSM 4.0(4d)

Last Modified

Jan 08, 2020

Products (1)

  • Cisco Unified Computing System

Known Affected Releases

4.0(4g)C

Description (partial)

Symptom:
a.	Scanner name, version, scanner signature version
Nessus Scanner, version 8.2.2
 
b.	Complete report from the scanner
CVE-2015-4000   SSL/TLS Diffie-Hellman Modulus <= 1024 Bits (Logjam)  found on UCSM VIP.

Vulnerable connection combinations :

  SSL/TLS version  : TLSv1.0
  Cipher suite     : TLS1_CK_DHE_PSK_WITH_AES_256_CBC_SHA
  Diffie-Hellman MODP size (bits) : 0
  Logjam attack difficulty : Easy (could be carried out by individuals)

  SSL/TLS version  : TLSv1.1
  Cipher suite     : TLS1_CK_DHE_PSK_WITH_AES_256_CBC_SHA
  Diffie-Hellman MODP size (bits) : 0
  Logjam attack difficulty : Easy (could be carried out by individuals)

  SSL/TLS version  : TLSv1.2
  Cipher suite     : TLS1_CK_DHE_PSK_WITH_AES_256_CBC_SHA

  Diffie-Hellman MODP size (bits) : 0
  Logjam attack difficulty : Easy (could be carried out by individuals)

c.     Name, software release in use and "show tech" or equivalent from device being tested. Should include full device configuration.
    Two UCS FI6248 + Four B200M4 servers, firmware are both 4.0(4d).
 
d.    Common Vulnerability and Exposure (CVE) ID for each one of the vulnerabilities reported by the scanner.
CVE-2015-4000: SSL/TLS Diffie-Hellman Modulus <= 1024 Bits (Logjam)

Conditions:
1.	For fix CVE-2004-2761, customer upgrade the UCSM from 3.2 (3K) to 4.0(4d).
2.	For fix CVE-2016-2183, customer modified Cipher Suite Mode to 'Customer', then added the below cipher suite:
ALL:!DH:!EDH:!ADH:!EXPORT40:!EXPORT56:!LOW:!RC4:+HIGH:+MEDIUM:!DES-CBC3-SHA:!ECDHE-RSA-DES-CBC3-SHA:+EXP:+eNULL 
 
Then they found the 'CVE-2015-4000: SSL/TLS Diffie-Hellman Modulus <= 1024 Bits (Logjam)' with Nessus Scanner.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.