Buy or Renew
Buy or Renew
Meraki Community is live! Welcome Meraki Members! Learn more here.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1031
Views
5
Helpful
1
Replies

ACE - security vulnerabilites

craig bache
Level 4
Level 4

‎05-19-2013 12:19 AM

Hi All

We received two vulnerability alerts for different web sites behind Cisco ACE:

 

1) Vulnerability - SSL / TLS Renegotiation DoS

Description: The remote service encrypts traffic using TLS / SSL and permits

clients to renegotiate connections. The computational requirements

for renegotiating a connection are asymmetrical between the client and

the server, with the server performing several times more work. Since

the remote host does not appear to limit the number of renegotiations

for a single TLS / SSL connection, this permits a client to open

several simultaneous connections and repeatedly renegotiate them,

possibly leading to a denial of service condition.

Recommendation: Contact the vendor for specific patch information.

 

 

2) Vulnerability - SSL/TLS Protocol Initialization Vector Implementation Information Disclosure Vulnerability

Description: A vulnerability exists in SSL 3.0 and TLS 1.0 that could allow

information disclosure if an attacker intercepts encrypted traffic

served from an affected system.

TLS 1.1, TLS 1.2, and all cipher suites that do not use CBC mode are

not affected.

 

Could you please help how they could be fixed?

ACE software A4(2.3)

Regards Craig             

Labels:
0 Helpful
1 Reply 1

Kanwaljeet Singh
Cisco Employee
Cisco Employee

‎05-20-2013 09:45 PM

Hi Craig,

Regarding this vulnerability,

1) Vulnerability - SSL / TLS Renegotiation DoS

You shouldn't be worrying as the code you are running has by default renegotiation diabled. If not please go to parameter type ssl and disable it.

(config)# Parameter-map type ssl SSL
(config-parammap-ssl)# rehandshake enabled
(config-parammap-ssl)# no rehandshake enabled------>This is the default.

Regarding your second vulnerability:

2) Vulnerability - SSL/TLS Protocol Initialization Vector Implementation Information Disclosure Vulnerability

The workaround is to enable adding empty data blocks via SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS or SSL_OP_ALL runtime options. This was introduced in OpenSSL 0.9.6d. And most of client browsers (IE, Firefox, etc) have included this.

ACE uses TLS 1.0. However, we do not allow code execution on the device. Also the device supports the OpenSSL workaround from client connections that implement it. In this way, ACE is not affected by this vulnerability and no
action is required for this.

There's future enhancement request for TLS 1.1 and TLS 1.2 support on ACE, however there's no hard date on it yet.
Please review the details in below feature enhancement request:


http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtt13316

This is fixed inb A530.

Let me know if you have any questions.

Regards,
Kanwal

Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card