Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6262
Views
0
Helpful
2
Replies

OpenSSL version in IOS

Wassim Aouadi
Level 4
Level 4

‎12-04-2012 09:33 AM - edited ‎02-21-2020 04:47 AM

Hi networkers,

I recently run a pentest against a 2911 router. It mentioned the following message:

[quote]Vulnerability allows remote attackers to force the downgrade to an unintended  cipher.

OpenSSL before 0.9.8q, and 1.0.x  before 1.0.0c, when SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is enabled, does not  properly prevent modification of the ciphersuite in the session cache, which  allows remote attackers to force the downgrade to an unintended cipher via  vectors involving sniffing network traffic to discover a session  identifier."
To fix the vulnerability update  your software according to used platform. All necessary information is available  here:
http://www.openssl.org/ "

[/quote]

Is there a way to detect the version of SSL implemented on a router?
Thanks,
Wass

3 people had this problem
0 Helpful
2 Replies 2

mveedock
Cisco Employee
Cisco Employee

‎03-21-2013 09:56 AM

Wass,

When an IOS image is released, it is linked to a single OpenSSL version.  If there is a specific IOS image you are concerned with, provide Cisco with the exact IOS image name, and we can return the OpenSSL version for that image to you.

However, if you are trying to find the OpenSSL version for an ASA (Adaptive Security Appliance), you can determine this version from the ASA release notes.  Simply examine the "Open Source" notes that are located in the release notes of the particular ASA image you are concerned with.  For example, from the ASA 8.4 release notes, you will find a section titled "Related Documentation", which has a link that points to "ASA Series Documentation".  From there, you will find a link for "Open Source License".  That will take you to an "Open Source" page which reveals that the OpenSSL version that runs on the ASA 8.4 code is "0.9.8f"

As a side note, you can determine the OpenSSL version running on a "client" computer by issuing the "ssh -v" command.  For example, on my own Mac we can see that I'm running OpenSSL version 0.9.8r.

mveedock-mac:~ mikeveedock$ ssh -v cisco@10.1.1.1

OpenSSH_5.2p1, OpenSSL 0.9.8r 8 Feb 2011

Hope this helps!

--

Mike Veedock

VPN Engineer – Cisco Systems

0 Helpful

smanfre
Level 1
Level 1
In response to mveedock

‎08-23-2017 01:41 AM

what version of openSSL is used in c880data-universalk9-mz.152-4.M5.bin?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card