OpenSSL SSLv3: POODLE Vulnerability CVE-2014-3566
The OpenSSL project released an advisory on October 15th 2014, which describes the newly discovered vulnerability (CVE-2014-3566). Some Cradlepoint products utilize OpenSSL and are affected by this advisory.
Cradlepoint Routers: Models listed below
- AER 2100
- ARC MBR1400
- ARC CBA750B
- COR IBR1100
- COR IBR1150
- COR IBR600
- COR IBR650
*These products will not be receiving a firmware release. Cradlepoint recommends disabling Remote Management on the device, or disabling SSL3.0 and connecting to the router with a minimum of TLS1.0.
Currently, Cradlepoint is investigating the issue to provide a long term solution to address the POODLE vulnerability, this article will be updated accordingly. In the interim, Cradlepoint recommends:
- Upgrade to router firmware version 5.2.4 when available (scheduled release 10:00pm EST, October 22, 2014)
- Customers utilizing Cradlepoint router remote management feature should disable it in order to prevent exploitation of this newly discovered issue. If you’re unsure if remote management is enabled or not, please consult our Remote Management KB article.
- Enterprise Cloud Manager (ECM) and WiPipe Central were patched on November 11, 2014 and are no longer vulnerable.
Detail / Impact
The SSLv3 protocol fallback vulnerability has been assigned the Common Vulnerabilities and Exposure (CVE) ID CVE-2014-3566. On October 14, 2014, a vulnerability in the Cipher-Block-Chaining (CBC) mode of the Secure Sockets Layer version 3 (SSLv3) protocol was publicly announced here.
SSL 3.0 (RFC-6101) is an obsolete and insecure protocol. While for most practical purposes it has been replaced by its successors TLS 1.0 (RFC-2246), TLS 1.1 (RFC-4346), and TLS 1.2 (RFC-5246), many TLS implementations remain backward compatible with SSL 3.0 to interoperate with legacy systems in the interest of a smooth user experience. The protocol handshake provides for authenticated version negotiation, so normally the latest protocol version common to the client and the server will be used. However, even if a client and server both support a version of TLS, the security level offered by SSL 3.0 is still relevant because many clients implement a protocol downgrade dance to work around server¬side interoperability bugs. Attackers can exploit the downgrade dance and break the cryptographic security of SSL 3.0. The POODLE attack will allow them, for example, to steal "secure" HTTP cookies (or other bearer tokens such as HTTP Authorization header contents).
Published Date: 12/11/2014
This article not have what you need? Not find what you were looking for? Think this article can be improved? Please let us know at firstname.lastname@example.org.