Reset Search
 

 

Article

VN 2014 003 Poodle OpenSSL 3.0 Threat

« Go Back

Vulnerability Notice

 
Vulnerability Summary
A possible vulnerability threat has been discovered in the OpenSSL 3.0 protocol.  

BACKGROUND

The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain clear text data via a padding-oracle attack, aka the "POODLE" issue

Published: 10/16/2014 9:22:29 AM CVSS Severity: 4.3 

The following software, and software supported products by Extreme Networks have been analyzed for this vulnerability: 

1.    ExtremeXOS
2.    X-Series Secure Core Router
3.    S, SSA, K, N & 7100 Series Switches
4.    A, B, C, D, G, I & 800 Series Fixed Switches
5.    NetSight / NAC(IA) / Purview
6.    Ridgeline
7.    IDS/IPS
8.    Security Information & Event Manager
9.    IdentiFi Wireless
10.    Wireless Mobility
11.    XSR (X-Pedition Security Router)
12.    EWare 

IMPACT

The vulnerability impact on Extreme products and technologies identified herein varies depending upon the impacted product and its use configuration and environment.

NOTE: Information in RED, denotes new updated information since the last revision of this notice. 
Products Potentially Affected
The following is the vulnerability status of the software products supported by Extreme Networks for this issue:
 
ExtremeXOSYes - Fixed
X-Series Secure Core RouterNo
S,SSA, K, N & 7100 Series Switches No 
A,B,C,D,G,I &800 Series Fixed SwitchesYes
NetSight/NAC(IA)/PurviewYes
Ridgeline Yes
 IDS/IPSYes
Security Information & Event Manager InvestigatingYes
IdentiFi WirelessYes 
Wireless Mobility versions WM 5.5X Yes
XSR (X-Pedition Security Router)  No
ExtremeWareYes
Note: To our knowledge, no other Extreme products (including the Enterasys-branded products) have been determined to be vulnerable at this time.


 
 
 
Impact Details
The Impact Details will be listed using the following format:
  1. Vulnerable – Yes / No
  2. Vulnerable Component
  3. Conditions when component vulnerability occurs
  4. Product version affected
  5. Workaround
  6. Target Fix Release
 
ExtremeXOS (all products):
  1. Yes - SSL , No - SSH Client and Server, including SCP
  2. Vulnerable Components:
    • Proactive Tech Support feature (when configured to use an SSL connection to a collector)
    • OpenFlow (when configured to use TLS for controller connection),
    • XML notification (when configured to use an https notification target)
    • Web server (when configured to have https enabled)
  3. See above
  4. All Releases of EXOS
  5. No Workaround
  6. Fix Release(s): 15.6.2 and 15.7.1 and later releases
X-Series Secure Core Router
  1. No – Does not use SSL
S, SSA, K, N & 7100 Series Switches
  1. No – Does not use SSL
A, B, C, D, G, I & 800 Series Fixed Switches
  1. Vulnerable:  Yes
  2. Vulnerable Component:  Web Management Server
  3. Conditions when component vulnerability occurs:  SSL is used only for Web Management, no user data is vulnerable.
    SSL is disabled by default, but must currently be enabled to support TLSv1. This vulnerability is not a bug, but is inherently part of the SSLv3 protocol. As such only preventing use of SSLv3, prevents exposure.
    • Currently, all releases of the Management Web server are configured to allow web clients to negotiate SSLv3 protection. If the browser chooses to use SSLv3, then its communication with the controller is vulnerable to attack.
    • For the best security, it is recommended that SSLv3 be disabled on browsers used in managing the switch.
  4. Product Version affected:  All releases. 
  5. Workaround:  Do not enable Web Management.
  6. Target Fix Release:
  • For A4/B5/C5 switches firmware, 6.81.04 and higher contains support for TLS_FALLBACK_SCSV as a mechanism to prevent protocol downgrade attacks (i.e. TLS to SSL). However, this requires that it be enabled on supporting browsers (e.g. Google Chrome, Mozilla Firefox).
  • For A2, B2, B3, C2, C3, D, G, I, 800 Series there is no current plan to add this functionality.  As SSL v3 is no longer secure, it should be disabled on the browser.
  1. Target Timeframe: April 22, 2015
 
NetSight /NAC (IA)/ Purview:
  1. Yes 
  2. NetSight Server / NAC & Purview Appliances
  3. Encrypted data (including user name and password) in an https session to the NetSight Server could be converted to plain text via a man-in-the-middle attack if the attacker is in a position to modify packets sent to the server.
  4. All versions affected
  5. NetSight - Can manually workaround by editing the Tomcat server.xml file for the NetSight Server adding the following two lines to the https port connector definition to correct port 8443 traffic: (there is no workaround for the RMI/JSM ports)
    sslProtocol="TLSv1.1" 
    protocols="SSLv2Hello,TLSv1,TLSv1.1,TLSv1.2"
     
    NAC & Purview Appliance – No workaround
  6. Target Fix Release: Fixed in 6.2.0 and higher
  7. Target Timeframe: March 2015
Ridgeline:
  1. Yes
  2. Vulnerable Components:
    • Web Reports
    • RestAPI
    • Identity Events
    • SOAP API's to pull UPM/Identity/vlan service data.
    • Provisioning (reading of the result file)
  3. Encrypted data (including user name and password) in an https session could be converted to plain text via a man-in-the-middle attack if the attacker is in a position to modify packets sent to the EMS.
  4. All
  5. No Workaround
  6. Target Fix Release: 4.0 Sp2 Patch 1
  7. Target Fix Timeframe: March 2015
IDS / IPS:
  1. Yes 
  2. EMS application
  3. Encrypted data (including user name and password) in an https session to the EMS could be converted to plain text via a man-in-the-middle attack if the attacker is in a position to modify packets sent to the EMS.
  4. All versions
  5. The vulnerability can be mitigated by hand-editing a couple configuration files on the EMS host. Contact customer support for details.
  6. Target Fix Release: No fix is planned for any version (see work-around)
  7. Target Fix Timeframe: N/A
Security Information & Event Manager:
  1. Yes
  2. SIEM Console
  3. Encrypted data (including user name and password) in an https session to the SIEM console could be converted to plain text via a man-in-the-middle attack if the attacker is in a position to modify packets sent to the server.
  4. All
  5. No Workaround
  6. Target Fix Release:  7.7.4.2
  7. Target Fix Timeframe: December 2014
  
IdentiFi Wireless:
Controller:
  1. Controller: Yes
  2. Apache Web Server
  3. All releases of the controller's web server are configured to allow web 
    clients to negotiate SSLv3 protection. If the browser chooses to use SSLv3
    then its communication with the controller is vulnerable to the POODLE 
    attack.
  4. All 9.12 releases and all earlier controller software releases are affected.
  5. No Workaround
  6. Target Fix Release: Fixed in 8.32.13 and 9.15.01 or higher
  7. Target Release Timeframe: November 28, 2014 (8.32.13) & November 21, 2014 (9.15.01)
 
Access Points:
  1. Not affected – Do not use OpenSSL
 
Wireless Mobility:   
  1. No for standalone APs, but yes for adopted APs and WM controllers.
  2. WebUI
  3. Encrypted data (including user name and password) in an https session to the WM Controller could be converted to plain text via a man-in-the-middle attack if the attacker is in a position to modify packets sent to the server.
  4. All
  5. Turning off HTTPS is the only workaround at this time.
    1. Target Fix Release: WM 5.5.5 – Delivery Pending
    2. Target Fix Timeframe: December  2014
 
XSR (X-Pedition Security Router):
  1. Not Vulnerable – Does not use OpenSSL. 
 
EWare (all products):
  1. Yes - SSL , No - SSH Client and Server, including SCP
  2. HTTP server (when configured to have https enabled)
  3. See above
  4. ExtremeWare 7.8.4 (OpenSSL version 0.9.7c)
  5. No Workaround
  6. There is no release under development and this will not be fixed.
 
Threat Details
 
CVENameImpactVulnerable 
Versions
ClientServer
CVE-2014-3566OpenSSL 3.0 Protocol - Poodle MediumServer: OpenSSL 1.0.1i and below
Client: OpenSSL 1.0.1i and below
MediumMedium
 

 
Repair Recommendations
The resolution to any threat or issue is dependent upon a number of things, including the set-up of the computer network and how the local IT team wants to address the situation.  Accordingly, in addition to updating the software as recommended in this document, the local IT team will need to analyze and address the situation in a manner that it determines will best address the set-up of its computer network.
Update the software, identified in this Notice, in your Extreme Networks’ products by replacing it with the latest releases from Extreme Networks including the following version (or above):  
  
  1. ExtremeXOS:  Patched versions of 15.3 and above
  2. X-Series Secure Core Router: N/A
  3. S, SSA, K, N & 7100 Series Switches – N/A
  4. A, B, C, D, G, I & 800 Series Fixed Switches – for A4/B5/C5 firmware 6.81.04 or higher
  5. NetSight/NAC(IA)/ Purview: 6.2
  6. Ridgeline: 4.0 Sp2 Patch 1
  7. IDS/IP: No fix is planned for any version
  8. Security Information & Event Manager: 7.7.4.2
  9. IdentiFi Wireless: 9.12.04, 8.32.12
  10. Wireless Mobility:  WM 5.5.5 release targeted for December
  11. EWare: This issue will not be fixed.
  12. XSR: N/A
 
Firmware & Software can be downloaded from - http://www.extremenetworks.com/support/
 
 
Further Information
 
NIST release:  http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3566
 
US-CERT Release:  https://www.us-cert.gov/ncas/alerts/TA14-290A
 
 
Legal Notice
THIS ADVISORY NOTICE IS PROVIDED ON AN "AS IS" BASIS AND EXTREME NETWORKS MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND, EXPRESSLY DISCLAIMING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. USE OF THE INFORMATION PROVIDED HEREIN OR MATERIALS LINKED FROM THIS ADVISORY NOTICE IS AT YOUR OWN RISK. EXTREME NETWORKS RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME, AND EXPECTS TO UPDATE THIS DOCUMENT AS NEW INFORMATION BECOMES AVAILABLE.  THE INFORMATION PROVIDED HEREIN IS APPLICABLE TO CURRENT EXTREME NETWORKS’ PRODUCTS IDENTIFIED HEREIN AND IS NOT INTENDED TO BE ANY REPRESENTATION OF FUTURE FUNCTIONALITY OR COMPATIBILITY WITH ANY 3RD PARTY TECHNOLOGIES REFERENCED HEREIN.  THIS NOTICE SHALL NOT CHANGE ANY CONTRACT OR AGREEMENT THAT YOU HAVE ENTERED INTO WITH EXTREME NETWORKS.
©2014 Extreme Networks, Inc. All rights reserved. Extreme Networks, the Extreme Networks logo, and other trademarks listed in this document, marked with an asterisk (*),   are trademarks or registered trademarks of Extreme Networks, Inc. in the United States and/or other countries. All other names are the property of their respective owners. For additional information on Extreme Networks Trademarks please see http://www.extremenetworks.com/company/legal/trademarks. Specifications and product availability are subject to change without notice.
Document No. / Revision: VN-2014-003 & 003a / Rev 07
Effective Date: 12/19/2014 / Owner: Serviceability



This notice was imported into GTAC Knowledge on 18-Jan-2016.  

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255