Can't find what you need?


• Ask the Community
• Create a Case
Reset Search
 

 

Article

Is AirDefense Vulnerable to CVE-2014-3566 related to SSL and Poodle

« Go Back

Information

 
TitleIs AirDefense Vulnerable to CVE-2014-3566 related to SSL and Poodle
Symptoms
ADSP 9.x Poodle SSLV3 vulnerability when running a vulnerability scan 
Environment
  • AirDefense 
  • ADSP
  • AirDefense Services Platform
  • ADSP version 9.3.0-09 and below
  • WING
  • WING 5.8.3 
  • CVE-2014-3566
Cause
Poodle_sslV3 vulnerability scan results
Resolution
We have removed SSLv3 in ADSP version 9.4.0-11 release which was a Bug Fix.

However, for the system to use TLS 1.2 – this needs to happen on both sides (both WING AND ADSP)
– the sensor (use WING version 5.8.3 or higher) and ADSP appliance (use 9.4.0-11).

Just upgrading one or the other will not result in TLS 1.2.

IMPORTANT NOTE as per ADSP V 9.3.0-09 AND ABOVE Release Notes: 

With ADSP 9.3.0 SSLv3 communication for a sensor to server communication can be turned off completely. For all other communication (e.g. UI/ Toolkit etc.) SSLv3 was disabled in previous releases. By default, SSLv3 communication is left enabled in ADSP 9.3 to permit communication with legacy sensors. To disable the SSLv3 communication please follow the steps below. Also, note that WiNG 5.8.3 or higher firmware must be used on sensors when SSLv3 is turned off as those releases support TLS v1.2
  • Login to ADSP with smxmgr credentials
  • Select the “Config option” (type C)
  • Select the " IDS"  (type in ids)  
  • Type “SSLv3” for “(SSLv3) Enable/Disable SSLv3 for Sensor-Server Communication”
  • The system will display the current status of SSLv3 in the system. If it is currently disabled, it will allow the user to enable it.
  • Type D to disable
  • Type Q to quit
  • The system will now warn that ADSP services will need to restart services.
  • Type Yes to continue.
  • Once you exit out of the WIPSadmin login, the ADSP service will be restarted (type in quit

This should resolve the vulnerability scan problem.

 
Additional notes
In ADSP version 9.5 and above SSLv3 can be disabled via CLI
 
ADSPadmin >Config->IDS->SSLv3
 

Verification:
Disabling SSLv3 will disable TLS1 and TLS1.1 as well. Run the mentioned command via ADSP CLI to verify it.

Run the below command to check if it was a success. The ssl handshake should fail as shown below.

 

[smxmgr@AirDefense101 ~]openssl s_client -connect localhost:443 -tls1
 socket: Connection refused
 connect:errno=111
 
[smxmgr@lAirDefense101~]$ openssl s_client -connect localhost:443 -tls1
CONNECTED(00000003) 140467201148744:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:598:
—
no peer certificate available
—
No client certificate CA names sent
—
SSL handshake has read 0 bytes and written 0 bytes

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255