Next Page >>
Transport Layer Security
Cisco ASA 5500 Series Adaptive Security Appliances are affected by
multiple vulnerabilities as follows:
* Three SunRPC Inspection Denial of Service Vulnerabilities
* Three Transport Layer Security (TLS) Denial of Service
Vulnerabilities
* Session Initiation Protocol (SIP) Inspection Denial of Service
Vulnerability
* Crafted Internet Key Exchange (IKE) Message Denial of Service
Vulnerability
I. Background
FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is
a collaborative effort to develop a robust, commercial-grade, full-featured
Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3)
and Transport Layer Security (TLS v1) protocols as well as a full-strength
general purpose cryptography library.
II. Problem Description
>or a Denial of Service.
>
>Background
>==========
>
>OpenSSL is an Open Source toolkit implementing the Secure Sockets Layer
>(SSL v2/v3) and Transport Layer Security (TLS v1) as well as a general
>purpose cryptography library.
>
>Affected packages
>=================
I. Background
FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is
a collaborative effort to develop a robust, commercial-grade, full-featured
Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3)
and Transport Layer Security (TLS v1) protocols as well as a full-strength
general purpose cryptography library.
II. Problem Description
into encrypted byte streams.
Background
==========
OpenSSL is an Open Source toolkit implementing the Secure Sockets Layer
(SSL v2/v3) and Transport Layer Security (TLS v1) as well as a general
purpose cryptography library.
Affected packages
=================
or a Denial of Service.
Background
==========
OpenSSL is an Open Source toolkit implementing the Secure Sockets Layer
(SSL v2/v3) and Transport Layer Security (TLS v1) as well as a general
purpose cryptography library.
Affected packages
=================
certificate details.
Background
==========
OpenSSL is an Open Source toolkit implementing the Secure Sockets Layer
(SSL v2/v3) and Transport Layer Security (TLS v1) as well as a general
purpose cryptography library.
Affected packages
=================
execution of arbitrary code and other attacks.
Background
==========
OpenSSL is an Open Source toolkit implementing the Secure Sockets Layer
(SSL v2/v3) and Transport Layer Security (TLS v1) as well as a general
purpose cryptography library.
Affected packages
=================
I. Background
FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is
a collaborative effort to develop a robust, commercial-grade, full-featured,
and Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3)
and Transport Layer Security (TLS v1) protocols as well as a full-strength
general purpose cryptography library.
II. Problem Description
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.
I. Background
The SSL (Secure Sockets Layer) and TLS (Transport Layer Security) protocols
provide a secure communications layer over which other protocols can be
utilized. The most widespread use of SSL/TLS is to add security to the
HTTP protocol, thus producing HTTPS.
FreeBSD includes software from the OpenSSL Project which implements SSL
Subject: RE: TLS Renegotiation Vulnerability: Proof of Concept Code
(Python)
Also, can you change this:
"Transport Layer Security (TLS) Renegotiation Indication Extension, IETF
draft standard that addresses the vulnerability."
To:
"Transport Layer Security (TLS) Renegotiation Indication Extension, IETF
I. Background
FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is
a collaborative effort to develop a robust, commercial-grade, full-featured
Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3)
and Transport Layer Security (TLS v1) protocols as well as a full-strength
general purpose cryptography library.
The function ASN1_STRING_print_ex is often used to print the contents of
an SSL certificate.
Also, can you change this:
"Transport Layer Security (TLS) Renegotiation Indication Extension, IETF
draft standard that addresses the vulnerability."
To:
"Transport Layer Security (TLS) Renegotiation Indication Extension, IETF TLS
Working Group draft that addresses the vulnerability."
using OpenSSL.
Background
==========
OpenSSL is an Open Source toolkit implementing the Secure Sockets Layer
(SSL v2/v3) and Transport Layer Security (TLS v1) as well as a general
purpose cryptography library.
Affected packages
=================
v1.0 2009-12-03 Initial release.
v1.1 2009-12-03 Corrected instructions in section V.2)b).
I. Background
The SSL (Secure Sockets Layer) and TLS (Transport Layer Security) protocols
provide a secure communications layer over which other protocols can be
utilized. The most widespread use of SSL/TLS is to add security to the
HTTP protocol, thus producing HTTPS.
FreeBSD includes software from the OpenSSL Project which implements SSL
code in daemons using GnuTLS.
Background
==========
GnuTLS is an implementation of Secure Sockets Layer (SSL) 3.0 and
Transport Layer Security (TLS) 1.0, 1.1 and 1.2.
Affected packages
=================
authentication as part of responses to DNS queries.
FreeBSD includes software from the OpenSSL Project. The OpenSSL
Project is a collaborative effort to develop a robust,
commercial-grade, full-featured Open Source toolkit implementing the
Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1)
protocols as well as a full-strength general purpose cryptography
library.
II. Problem Description
spoofing attacks.
Background
==========
OpenSSL is an Open Source toolkit implementing the Secure Sockets Layer
(SSL v2/v3) and Transport Layer Security (TLS v1) as well as a general
purpose cryptography library.
Affected packages
=================
* TCP Connection Exhaustion Denial of Service Vulnerability
* Session Initiation Protocol (SIP) Inspection Denial of Service
Vulnerabilities
* Skinny Client Control Protocol (SCCP) Inspection Denial of
Service Vulnerability
* WebVPN Datagram Transport Layer Security (DTLS) Denial of Service
Vulnerability
* Crafted TCP Segment Denial of Service Vulnerability
* Crafted Internet Key Exchange (IKE) Message Denial of Service
Vulnerability
* NT LAN Manager version 1 (NTLMv1) Authentication Bypass
Two crafted packet vulnerabilities exist in the Cisco PIX 500 Series
Security Appliance (PIX) and the Cisco 5500 Series Adaptive Security
Appliance (ASA) that may result in a reload of the device. These
vulnerabilities are triggered during processing of Media Gateway
Control Protocol (MGCP) packets, or during processing of Transport
Layer Security (TLS) traffic that terminates on the PIX or ASA security
appliance.
Note: These vulnerabilities are independent of each other; a device may
be affected by one and not by the other.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Transport Layer Security Renegotiation
Vulnerability
Advisory ID: cisco-sa-20091109-tls
http://www.cisco.com/warp/public/707/cisco-sa-20091109-tls.shtml
The SIP Phone Port, which is set to 5060 by default, refers to the
TCP and UDP ports on which the Cisco Unified Communications Manager
listens for normal SIP messages. SIP Phone Secure Port, which is set
to 5061 by default, refers to the TCP port on which the Cisco Unified
Communications Manager listens for SIP over Transport Layer Security
(TLS) messages. For additional information about this procedure,
refer to the "Updating a Cisco Unified Communications Manager"
section of the "Cisco Unified Communications Manager Administration
Guide" at:
=======
The Catalyst CSM is an integrated Server Load Balancing line card for
the Catalyst 6500 and 7600 Series designed to enhance the response
time for client traffic to end points including servers, caches,
firewalls, Secure Sockets Layer (SSL) devices, and VPN termination
devices.
The Catalyst 6500 CSM-S combines high-performance server load
balancing (SLB) with Secure Socket Layer (SSL) offload. The CSM-S is
similar to the CSM; however, it can also terminate and initiate
calls across IP networks such as the Internet. SIP is responsible for
handling all aspects of call setup and termination. Voice and video
are the most popular types of sessions that SIP handles, but the
protocol is flexible to accommodate for other applications that
require call setup and termination. SIP call signaling can use UDP
(port 5060), TCP (port 5060), or Transport Layer Security (TLS; TCP
port 5061) as the underlying transport protocol.
MGCP is the protocol for controlling telephony gateways from external
call control elements known as media gateway controllers or call
agents. A telephony gateway is a network element that provides
This is a writeup about a flaw that I found recently, and that
existed in multiple implementations of SMTP (Simple Mail Transfer
Protocol) over TLS (Transport Layer Security) including my Postfix
open source mailserver. I give an overview of the problem and its
impact, how to find out if a server is affected, fixes, and draw
lessons about where we can expect similar problems. A time line
is at the end.
For further reading:
http://www.kb.cert.org/vuls/id/555316
and folders on a Novell NetWare® 6.5 server or Novell Open Enterprise
Server can be
accessed using either a browser or via Network Neighborhood and Microsoft Web
Folders; no Novell Client^ software is required. Users can securely
access files
from any IP-enabled machine via Secure Sockets Layer (SSL) and Secure Hypertext
Transfer Protocol (HTTPS)."
Novell NetStorage contains a wide variety of vulnerabilities that may
allow an attacker
to cause a denial of service, gain configuration information or exploit other
calls across IP networks such as the Internet. SIP is responsible for
handling all aspects of call setup and termination. Voice and video
are the most popular types of sessions that SIP handles, but the
protocol is flexible enough to accommodate other applications that
require call setup and termination. SIP call signaling can use UDP
(port 5060), TCP (port 5060), or Transport Layer Security (TLS; TCP
port 5061) as the underlying transport protocol.
A DoS vulnerability exists in the SIP implementation of the Cisco
Unified Communications Manager. This vulnerability could be triggered
when Cisco Unified Communications Manager processes crafted SIP
* Telnet Access
* SSH Access
* Cisco Tunneling Control Protocol (cTCP) for Remote Access VPNs
* Virtual Telnet
* Virtual HTTP
* Transport Layer Security (TLS) Proxy for Encrypted Voice
Inspection
* Cut-Through Proxy for Network Access
* TCP Intercept
Crafted H.323 Packet DoS Vulnerability
identifier CVE-2008-2055.
2. Crafted TLS Packet Vulnerability
+----------------------------------
Transport Layer Security (TLS) is the replacement for the Secure
Socket Layer (SSL) protocol. It is a protocol that provides, via
cryptography, secure communications between two end-points.
The Cisco PIX and Cisco ASA security appliances rely on TLS to
protect the confidentiality of communications in a variety of
responsible for handling all aspects of call setup and termination.
Voice and video are the most popular types of sessions that SIP
handles, but the protocol has the flexibility to accommodate other
applications that require call setup and termination. SIP call
signaling can use UDP (port 5060), TCP (port 5060), or Transport
Layer Security (TLS; TCP port 5061) as the underlying transport
protocol.
Multiple vulnerabilities exist in the SIP implementation in Cisco IOS
Software that could allow a remote attacker to cause an affected
device to reload or to trigger memory leaks that may result in system
Next Page>>
|
