cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Cisco Secure Email Support Community

Product Support Talos Support Cisco Support Reference + Current Release
Gateway Reputation Lookup Open a support case Secure Email Guided Setup
Gateway: 14.0.0-698
Cloud Gateway Email Status Portal Support & Downloads docs.ces.cisco.com
Email and Web Manager: 14.0.0-404
Email and Web Manager Web & Email Reputation Worldwide Contacts Product Naming Quick Reference
Reporting Plug-in: 1.1.0.136
Encryption Bug Search
Encryption Plug-in: 1.2.1.167
Cloud Mailbox Notification Service
Outlook Add-in(s): More info

1138
Views
0
Helpful
4
Replies
chally.dean
Beginner

TLS Protocol Session Renegotiation Security Vulnerability

Has anyone out there been trying to figure out a way to deal with this TLS vulnerability?

An industry-wide vulnerability exists in the Transport Layer Security (TLS) protocol that could impact any Cisco product that uses any version of TLS and SSL. The vulnerability exists in how the protocol handles session renegotiation and exposes users to a potential man-in-the-middle attack.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20091109-tls.shtml

4 REPLIES 4
joe_ironport
Beginner

Can anyone from Cisco comment on whether or not the ESAs are affected by this vulnerability? If so should we expect a new build of ASYNC and when?

steven_geerts
Beginner

As far as I know Ironport supported TLS far before the Cisco take-over.

since the link is broken I can not read the Cisco advisory but i can imagine the Ironport product family is not involved in this issue.

Steven

chally.dean
Beginner

I have updated the link.

This is a TLS/SSL vulnerability that is industry wide. it is a problem with the protocols themselves not the implementation. I am certain that it affects IronPort and have word that they are working on it.

I was hoping someone from IronPort would jump in and let us know what was going on, and when we would expect to see an update for the AsynchOS.

Thierry ZOLLER does a good job of explaining the issue at the below link.
http://www.g-sec.lu/practicaltls.pdf

kyerramr
Beginner

As pointed out, this is a vulnerability in the protocol design itself and not with the implementation.

Cisco IronPort is actively investigating and more information will be posted on the Cisco advisory page http://www.cisco.com/en/US/products/products_security_advisory09186a0080b01d1d.shtml

Best
Kishore

Content for Community-Ad