The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of Check Point, Cisco, IBM, F5, FortiOS: information disclosure via POODLE on TLS

Synthesis of the vulnerability 

An attacker, located as a Man-in-the-Middle, can decrypt a Terminating TLS session, in order to obtain sensitive information.
Vulnerable products: GAiA, CheckPoint IP Appliance, IPSO, CheckPoint Power-1 Appliance, SecurePlatform, CheckPoint Security Appliance, CheckPoint Smart-1, CheckPoint VSX-1, Cisco ACE, ASA, BIG-IP Hardware, TMOS, Fedora, FortiGate, FortiGate Virtual Appliance, FortiOS, Db2 UDB, Domino by IBM, Informix Server, Tivoli Directory Server, openSUSE, Solaris, Palo Alto Firewall PA***, PAN-OS, Ubuntu.
Severity of this weakness: 3/4.
Number of vulnerabilities in this bulletin: 2.
Creation date: 09/12/2014.
Revision date: 17/12/2014.
Références of this bulletin: 1450666, 1610582, 1647054, 1692906, 1693052, 1693142, bulletinjul2017, CERTFR-2014-AVI-533, CSCus08101, CSCus09311, CVE-2014-8730, CVE-2015-2774, FEDORA-2015-12923, FEDORA-2015-12970, openSUSE-SU-2016:0523-1, sk103683, SOL15882, USN-3571-1, VIGILANCE-VUL-15756.

Description of the vulnerability 

The VIGILANCE-VUL-15485 (POODLE) vulnerability originates from an incorrect management of SSLv3 padding.

The F5 BIG-IP product can be configured to "terminate" SSL/TLS sessions. However, even when TLS is used, this BIG-IP feature uses the SSLv3 function to manage the padding. TLS sessions are thus also vulnerable to POODLE.

The same vulnerability also impacts Check Point, Cisco, IBM and Fortinet products.

An attacker, located as a Man-in-the-Middle, can therefore decrypt a Terminating TLS session, in order to obtain sensitive information.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This vulnerability bulletin impacts software or systems such as GAiA, CheckPoint IP Appliance, IPSO, CheckPoint Power-1 Appliance, SecurePlatform, CheckPoint Security Appliance, CheckPoint Smart-1, CheckPoint VSX-1, Cisco ACE, ASA, BIG-IP Hardware, TMOS, Fedora, FortiGate, FortiGate Virtual Appliance, FortiOS, Db2 UDB, Domino by IBM, Informix Server, Tivoli Directory Server, openSUSE, Solaris, Palo Alto Firewall PA***, PAN-OS, Ubuntu.

Our Vigil@nce team determined that the severity of this security note is important.

The trust level is of type confirmed by the editor, with an origin of internet client.

This bulletin is about 2 vulnerabilities.

An attacker with a expert ability can exploit this cybersecurity note.

Solutions for this threat 

Check Point: solution for POODLE on TLS.
The solution is indicated in information sources.

Cisco ACE: solution CSCus09311.
The solution CSCus09311 is available:
  https://tools.cisco.com/bugsearch/bug/CSCus09311

Cisco ASA: solution CSCus08101.
The solution CSCus08101 is available:
  https://tools.cisco.com/bugsearch/bug/CSCus08101

Erlang: version 17.5.
The version 17.5 is fixed:
  http://www.erlang.org/download.html

F5 BIG-IP: fixed versions for POODLE on TLS.
Fixed versions are indicated in information sources.

Fedora: new erlang packages.
New packages are available:
  Fedora 21: erlang 17.4-4.fc21
  Fedora 22: erlang 17.4-4.fc22

FortiOS: version 5.2.3.
The version 5.2.3 is fixed.

IBM DB2: version 10.1 Fix Pack 5.
The version 10.1 Fix Pack 5 is fixed:
  http://www-304.ibm.com/support/docview.wss?uid=swg24040170#Description

IBM DB2: version 10.5 Fix Pack 6.
The version 10.5 Fix Pack 6 is fixed:
  http://www-01.ibm.com/support/docview.wss?uid=swg24040522

IBM DB2: version 9.7 Fix Pack 11.
The version 9.7 Fix Pack 11 is fixed:
  http://www-01.ibm.com/support/docview.wss?uid=swg24040935

IBM Domino: fixed versions for POODLE on TLS.
Fixed versions are indicated in information sources.

IBM Informix Dynamic Server: workaround for POODLE on TLS.
A workaround is to use GSK_STRICTCHECK_CBCPADBYTES=GSK_TRUE.

IBM Tivoli Directory Server: patch for POODLE on TLS.
A patch is available in information sources.

openSUSE 13.2: new erlang packages.
New packages are available:
  openSUSE 13.2: erlang 17.1-3.3.1

Oracle Solaris: patch for third party software of July 2017 v3.
A patch is available:
  https://support.oracle.com/rs?type=doc&id=1448883.1

PAN-OS: workaround for POODLE on TLS.
A workaround is indicated in the information source.

Solaris: patch for Third Party software.
A patch is available:
  https://support.oracle.com/rs?type=doc&id=1448883.1

Ubuntu: new erlang packages.
New packages are available:
  Ubuntu 17.10: erlang 1:20.0.4+dfsg-1ubuntu1.1
  Ubuntu 16.04 LTS: erlang 1:18.3-dfsg-1ubuntu3.1
  Ubuntu 14.04 LTS: erlang 1:16.b.3-dfsg-1ubuntu2.2
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides cybersecurity patches. The Vigil@nce computer vulnerability tracking service alerts your teams of vulnerabilities or threats impacting your information system.