https://community.cisco.com/t5/network-security/openssl-version-in-ios/m-p/2090737#M921044 <P>Hi networkers,</P><P>I recently run a pentest against a 2911 router. It mentioned the following message:</P><P></P><P>[quote]Vulnerability allows remote attackers to force the downgrade to an unintended&nbsp; cipher. </P><DIV id="descr">OpenSSL before 0.9.8q, and 1.0.x&nbsp; before 1.0.0c, when SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is enabled, does not&nbsp; properly prevent modification of the ciphersuite in the session cache, which&nbsp; allows remote attackers to force the downgrade to an unintended cipher via&nbsp; vectors involving sniffing network traffic to discover a session&nbsp; identifier."</DIV><DIV> </DIV><DIV><DIV id="solution">To fix the vulnerability update&nbsp; your software according to used platform. All necessary information is available&nbsp; here:<BR /><A class="active_link" href="http://www.openssl.org/" rel="nofollow" target="_blank">http://www.openssl.org/</A> "<P>[/quote]</P><P></P></DIV><DIV> </DIV><DIV> </DIV><DIV> </DIV><DIV> </DIV><DIV> </DIV><DIV>Is there a way to detect the version of SSL implemented on a router?</DIV><DIV> </DIV><DIV>Thanks,</DIV><DIV> </DIV><DIV>Wass</DIV><P></P></DIV> Fri, 21 Feb 2020 12:47:53 GMT Wassim Aouadi 2020-02-21T12:47:53Z https://community.cisco.com/t5/network-security/openssl-version-in-ios/m-p/2090737#M921044 <P>Hi networkers,</P><P>I recently run a pentest against a 2911 router. It mentioned the following message:</P><P></P><P>[quote]Vulnerability allows remote attackers to force the downgrade to an unintended&nbsp; cipher. </P><DIV id="descr">OpenSSL before 0.9.8q, and 1.0.x&nbsp; before 1.0.0c, when SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is enabled, does not&nbsp; properly prevent modification of the ciphersuite in the session cache, which&nbsp; allows remote attackers to force the downgrade to an unintended cipher via&nbsp; vectors involving sniffing network traffic to discover a session&nbsp; identifier."</DIV><DIV> </DIV><DIV><DIV id="solution">To fix the vulnerability update&nbsp; your software according to used platform. All necessary information is available&nbsp; here:<BR /><A class="active_link" href="http://www.openssl.org/" rel="nofollow" target="_blank">http://www.openssl.org/</A> "<P>[/quote]</P><P></P></DIV><DIV> </DIV><DIV> </DIV><DIV> </DIV><DIV> </DIV><DIV> </DIV><DIV>Is there a way to detect the version of SSL implemented on a router?</DIV><DIV> </DIV><DIV>Thanks,</DIV><DIV> </DIV><DIV>Wass</DIV><P></P></DIV> Fri, 21 Feb 2020 12:47:53 GMT https://community.cisco.com/t5/network-security/openssl-version-in-ios/m-p/2090737#M921044 Wassim Aouadi 2020-02-21T12:47:53Z https://community.cisco.com/t5/network-security/openssl-version-in-ios/m-p/2090738#M921045 <HTML><HEAD></HEAD><BODY><P>Wass,</P><P></P><P>When an IOS image is released, it is linked to a single OpenSSL version.&nbsp; If there is a specific IOS image you are concerned with, provide Cisco with the exact IOS image name, and we can return the OpenSSL version for that image to you.</P><P></P><P>However, if you are trying to find the OpenSSL version for an ASA (Adaptive Security Appliance), you can determine this version from the ASA release notes.&nbsp; Simply examine the "Open Source" notes that are located in the release notes of the particular ASA image you are concerned with.&nbsp; For example, from the ASA 8.4 release notes, you will find a section titled "Related Documentation", which has a link that points to "ASA Series Documentation".&nbsp; From there, you will find a link for "Open Source License".&nbsp; That will take you to an "Open Source" page which reveals that the OpenSSL version that runs on the ASA 8.4 code is "0.9.8f"</P><P></P><P>As a side note, you can determine the OpenSSL version running on a "client" computer by issuing the "ssh -v" command.&nbsp; For example, on my own Mac we can see that I'm running OpenSSL version 0.9.8r.</P><P></P><P>mveedock-mac:~ mikeveedock$ ssh -v cisco@10.1.1.1</P><P>OpenSSH_5.2p1, OpenSSL 0.9.8r 8 Feb 2011</P><P></P><P>Hope this helps!</P><P></P><P>-- </P><P>Mike Veedock</P><P>VPN Engineer – Cisco Systems</P></BODY></HTML> Thu, 21 Mar 2013 16:56:43 GMT https://community.cisco.com/t5/network-security/openssl-version-in-ios/m-p/2090738#M921045 mveedock 2013-03-21T16:56:43Z https://community.cisco.com/t5/network-security/openssl-version-in-ios/m-p/3174432#M921046 <P>what version of openSSL is used in c880data-universalk9-mz.152-4.M5.bin?</P> Wed, 23 Aug 2017 08:41:16 GMT https://community.cisco.com/t5/network-security/openssl-version-in-ios/m-p/3174432#M921046 smanfre 2017-08-23T08:41:16Z