Multiple Vulnerabilities in OpenSSL
Products Supported: All Products. Click here to identify your router.
Firmware Version: 5.1.2 and older - for information on upgrading firmware, click here.
The OpenSSL project released an advisory on June 5th, 2014, which describes the newly discovered vulnerabilities.
Some Cradlepoint products utilize OpenSSL and are affect by this advisory.
- SSL/TLS MITM vulnerability (CVE-2014-0224) may allow an attacker with a privleged network position (man-in-the-middle) to decrypt SSL encrypted communications.
- DTLS recursion flaw (CVA-2014-0221) may allow an attacker to crash a DTLS client with an invalid handshake.
- DTLS invalid fragment vulnerability (CVE-2014-0195) can result in a buffer overrun attack by sending invalid DTLS fragments to an OpenSSL DTLS client or server.
- SSLMODERELEASEBUFFERS session injection or denial of service (CVE-2010-5298) may allow an attacker to cause a denial of service under certain conditions, when -SSLMODERELEASEBUFFERS is enabled.
- Anonymous ECDH denial of service (CVE-2014-3470) may allow an attacker to trigger a denial of service in SSL clients when anonymous ECDH ciphersuites are enabled.
More information on these issues can be found in the original OpenSSL Advisory.
These vulnerabilities are mitigated in the Cradlepoint Enterprise Cloud Manager or WiPipe Central because the systems have been updated as of 06/09/2014 8pm EDT.
Regarding Cradlepoint router firmware, we believe at this time that the CVE-2014-0224 vulnerability has the highest chance to be an issue for our customers, even though the potential risk is small. If either the client or the server (router) has been updated to the latest OpenSSL version, then this will no longer be an issue.
Cradlepoint Enterprise Cloud Manager (ECM) - All Enterprise Cloud Manager instances were updated with security fixes during the maintenance release on 06/09/2014 at 8pm EDT.
Cradlepoint WiPipe Central- All WiPipe Central instances were updated with security fixes during the maintenance release on 06/09/2014 at 8pm EDT.
Cradlepoint Routers -
- AER 2100
- ARC CBA750B
- ARC MBR1400
- CBA 750B
- COR IBR600
- COR IBR650
The latest OpenSSL version 1.0.1h has been merged into the Cradlepoint router firmware base and was released in the 5.2.0 firmware released on June 30, 2014.
Note: The CBR400/450 are at End of Life and are affected, there are no current plans to update them.
Published Date: 12/15/2014
This article not have what you need? Not find what you were looking for? Think this article can be improved? Please let us know at firstname.lastname@example.org.