SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Device (Router/Bridge/Hub)  >   Cisco Application Control Engine Vendors:   Cisco
Cisco Application Control Engine SSLv3 Decoding Function Lets Remote Users Decrypt TLS Traffic
SecurityTracker Alert ID:  1031374
SecurityTracker URL:  http://securitytracker.com/id/1031374
CVE Reference:   CVE-2014-8730   (Links to External Site)
Date:  Dec 15 2014
Impact:   Disclosure of system information, Disclosure of user information
Vendor Confirmed:  Yes  

Description:   A vulnerability was reported in Cisco Application Control Engine. A remote user can decrypt TLS sessions in certain cases.

The system may accept incorrect TLS padding when terminating TLSv1 CBC connections. A remote user can with the ability to conduct a man-in-the-middle attack can force a client to use a vulnerable SSLv3 decoding function with TLS and then conduct a BEAST-style of attack to decrypt portions of the session.

This protocol vulnerability is a variant of the POODLE ("Padding Oracle On Downgraded Legacy Encryption") attack.

This is a flaw in the protocol rather than in the TLS implementation.

The vendor has assigned bug ID CSCus09311 to this vulnerability.

The Cisco ACE 4700 Series Application Control Engine appliances are not affected, even though some vulnerability scanners may (incorrectly) identify them as vulnerable.

The original advisory is available at:

https://www.imperialviolet.org/2014/12/08/poodleagain.html

Brian Smith, Adam Langley, and Yngve Pettersen separately reported this vulnerability.

Impact:   A remote user with the ability to conduct a man-in-the-middle attack can decrypt TLS sessions.
Solution:   No solution was available at the time of this entry.

The vendor's advisory is available at:

http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-8730

Vendor URL:  tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-8730 (Links to External Site)
Cause:   Access control error

Message History:   None.


 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC