Cisco Security Advisory - On March 1, 2016, the OpenSSL Software Foundation released a security advisory detailing seven vulnerabilities and a new attack, referred to as the Decrypting RSA with Obsolete and Weakened eNcryption (DROWN) attack. A total of eight Common Vulnerabilities and Exposures (CVEs) were assigned. Of the eight CVEs, three relate to the DROWN attack. The remaining CVEs track low severity vulnerabilities. DROWN is a cross-protocol attack that actively exploits weaknesses in SSL version 2 (SSLv2) to decrypt passively collected Transport Layer Security (TLS) sessions. DROWN does not exploit a vulnerability in the TLS protocol or any specific implementation of the protocol. To execute a successful DROWN attack, the attacker must identify a server that supports both SSLv2 and TLS, and uses the same RSA key pair for both protocols. The attacker must also be able to collect TLS traffic for the server.
3e48e7bc17ea549f2a95b4ce4a89eeb478de92a8d4e421cab91f33d1486ad152-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: March 2016
Advisory ID: cisco-sa-20160302-openssl
Version 1.0: Interim
For Public Release: 2016 March 2 19:30 UTC (GMT)
+---------------------------------------------------------------------
Summary
=======
On March 1, 2016, the OpenSSL Software Foundation released a security advisory detailing seven vulnerabilities and a new attack, referred to as the Decrypting RSA with Obsolete and Weakened eNcryption (DROWN) attack. A total of eight Common Vulnerabilities and Exposures (CVEs) were assigned. Of the eight CVEs, three relate to the DROWN attack. The remaining CVEs track low severity vulnerabilities.
DROWN is a cross-protocol attack that actively exploits weaknesses in SSL version 2 (SSLv2) to decrypt passively collected Transport Layer Security (TLS) sessions. DROWN does not exploit a vulnerability in the TLS protocol or any specific implementation of the protocol.
To execute a successful DROWN attack, the attacker must identify a server that supports both SSLv2 and TLS, and uses the same RSA key pair for both protocols. The attacker must also be able to collect TLS traffic for the server.
This advisory will be updated as additional information becomes available.
This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160302-openssl
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
iQIcBAEBAgAGBQJW10S9AAoJEK89gD3EAJB5NdkQAMtgK0CXafb5RAErJk8tL7gh
ssAHSfxqIaa5/LtPKgUZokFGT+lr/QDsjy7dWzYXPOux/sPENgIQZlqwMfUEEw3w
BHIx1H1KhJ4BFKAZTOMUjUmSQJv8rPfllekb87e4sK5+wk9JHO2azJoJ/YQlryBc
b+DdHaltS+bptQ9uai63IVWz8ATDMtdCC7ZeA5lKcx184kVsbScawP46KQCHJwij
IJZ0oCM9B6nagDMH75a53u7YIWz7ugs1CQgUSOoUOwdmgzNWEdohJ4uQL5epwHmY
BDf1pZUMjemZyiP62aXQZnta6vCF0VLC2lrrWx2bfFOHfLQ5cv5ZcAS2CruzN0Y3
ox88g8xQSJkUYggqtzWsD7zuJYN30D59dsfWBxbAjEpK/bjcQnHX9+3oeRuyljBi
L//EVLliYDTCnr/9+u2zCg42H5gsodEGscQZAoHLXvhDTV48/CaimpcISRyudTt8
8bIwgCvB35MbEcH2IIpzbIRjvmIt98CbxQGD5e1FGkBm1lmKqAoP77+h22IdAKh4
8YxN/W7qe0P1mVSfJVu5HYu44ZKKwhxd5ExT7NGCugJdEEB5DobXrsyu0jxR6gdq
VCR+Tw2Xbk+Xuf+lL3cfUaMz+V2Bvqb1zVJpTp3i6ix3qy/Hwssp/bJctM4Cetka
QNJPOHwNdCLuGkSqItKJ
=cvrZ
-----END PGP SIGNATURE-----
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed