05-19-2013 12:19 AM
Hi All
We received two vulnerability alerts for different web sites behind Cisco ACE:
1) Vulnerability - SSL / TLS Renegotiation DoS
Description: The remote service encrypts traffic using TLS / SSL and permits
clients to renegotiate connections. The computational requirements
for renegotiating a connection are asymmetrical between the client and
the server, with the server performing several times more work. Since
the remote host does not appear to limit the number of renegotiations
for a single TLS / SSL connection, this permits a client to open
several simultaneous connections and repeatedly renegotiate them,
possibly leading to a denial of service condition.
Recommendation: Contact the vendor for specific patch information.
2) Vulnerability - SSL/TLS Protocol Initialization Vector Implementation Information Disclosure Vulnerability
Description: A vulnerability exists in SSL 3.0 and TLS 1.0 that could allow
information disclosure if an attacker intercepts encrypted traffic
served from an affected system.
TLS 1.1, TLS 1.2, and all cipher suites that do not use CBC mode are
not affected.
Could you please help how they could be fixed?
ACE software A4(2.3)
Regards Craig
05-20-2013 09:45 PM
Hi Craig,
Regarding this vulnerability,
1) Vulnerability - SSL / TLS Renegotiation DoS
You shouldn't be worrying as the code you are running has by default renegotiation diabled. If not please go to parameter type ssl and disable it.
(config)# Parameter-map type ssl SSL
(config-parammap-ssl)# rehandshake enabled
(config-parammap-ssl)# no rehandshake enabled------>This is the default.
Regarding your second vulnerability:
2) Vulnerability - SSL/TLS Protocol Initialization Vector Implementation Information Disclosure Vulnerability
The workaround is to enable adding empty data blocks via SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS or SSL_OP_ALL runtime options. This was introduced in OpenSSL 0.9.6d. And most of client browsers (IE, Firefox, etc) have included this.
ACE uses TLS 1.0. However, we do not allow code execution on the device. Also the device supports the OpenSSL workaround from client connections that implement it. In this way, ACE is not affected by this vulnerability and no
action is required for this.
There's future enhancement request for TLS 1.1 and TLS 1.2 support on ACE, however there's no hard date on it yet.
Please review the details in below feature enhancement request:
This is fixed inb A530.
Let me know if you have any questions.
Regards,
Kanwal
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide