Detections
Analytics
Cisco IOS Multiple OpenSSL Vulnerabilities (CSCup22590)
medium Nessus Plugin ID 88988
Language:
Synopsis
The remote device is missing a vendor-supplied security patch.Description
The remote Cisco IOS device is missing a vendor-supplied security patch and has an IOS service configured to use TLS or SSL. It is, therefore, affected by the following vulnerabilities in the bundled OpenSSL library :- A buffer overflow error exists related to invalid DTLS fragment handling that can lead to execution of arbitrary code. Note this issue only affects OpenSSL when used as a DTLS client or server. (CVE-2014-0195)
- An error exists related to DTLS handshake handling that could lead to denial of service attacks. Note that this issue only affects OpenSSL when used as a DTLS client.
(CVE-2014-0221)
- An unspecified error exists that allows an attacker to cause usage of weak keying material leading to simplified man-in-the-middle attacks. (CVE-2014-0224)
Solution
Upgrade to the relevant fixed version referenced in Cisco bug ID CSCup22590.See Also
http://www.nessus.org/u?0aa6a7e6
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCup22590
https://www.openssl.org/news/secadv/20140605.txt
Plugin Details
Severity: Medium
ID: 88988
File Name: cisco-sa-20140605-openssl-ios.nasl
Version: 1.12
Type: combined
Family: CISCO
Published: 2/26/2016
Updated: 11/19/2019
Supported Sensors: Nessus
Risk Information
VPR
Risk Factor: High
Score: 7.7
CVSS v2
Risk Factor: Medium
Base Score: 6.8
Temporal Score: 5.6
Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P
Vulnerability Information
CPE: cpe:/o:cisco:ios
Required KB Items: Host/Cisco/IOS/Version
Exploit Available: true
Exploit Ease: Exploits are available
Patch Publication Date: 6/5/2014
Vulnerability Publication Date: 6/3/2014
Exploitable With
Core Impact