Cisco IOS Multiple OpenSSL Vulnerabilities (CSCut46130)

high Nessus Plugin ID 90525
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

The remote device is missing a vendor-supplied security patch.

Description

The remote Cisco IOS device is missing a vendor-supplied security patch and has an IOS service configured to use TLS or SSL. It is, therefore, affected by the following vulnerabilities in the bundled OpenSSL library :

- A use-after-free condition exists in the d2i_ECPrivateKey() function due to improper processing of malformed EC private key files during import. A remote attacker can exploit this to dereference or free already freed memory, resulting in a denial of service or other unspecified impact. (CVE-2015-0209)

- An invalid read error exists in the ASN1_TYPE_cmp() function due to improperly performed boolean-type comparisons. A remote attacker can exploit this, via a crafted X.509 certificate to an endpoint that uses the certificate-verification feature, to cause an invalid read operation, resulting in a denial of service.
(CVE-2015-0286)

- A flaw exists in the ASN1_item_ex_d2i() function due to a failure to reinitialize 'CHOICE' and 'ADB' data structures when reusing a structure in ASN.1 parsing.
This allows a remote attacker to cause an invalid write operation and memory corruption, resulting in a denial of service. (CVE-2015-0287)

- A NULL pointer dereference flaw exists in the X509_to_X509_REQ() function due to improper processing of certificate keys. This allows a remote attacker, via a crafted X.509 certificate, to cause a denial of service. (CVE-2015-0288)

- A NULL pointer dereference flaw exists in the PKCS#7 parsing code due to incorrect handling of missing outer ContentInfo. This allows a remote attacker, using an application that processes arbitrary PKCS#7 data and providing malformed data with ASN.1 encoding, to cause a denial of service. (CVE-2015-0289)

- An integer underflow condition exists in the EVP_DecodeUpdate() function due to improper validation of base64 encoded input when decoding. This allows a remote attacker, using maliciously crafted base64 data, to cause a segmentation fault or memory corruption, resulting in a denial of service or possibly the execution of arbitrary code. (CVE-2015-0292)

- A flaw exists in servers that both support SSLv2 and enable export cipher suites due to improper implementation of SSLv2. A remote attacker can exploit this, via a crafted CLIENT-MASTER-KEY message, to cause a denial of service. (CVE-2015-0293)

Solution

Upgrade to the relevant fixed version referenced in Cisco bug ID CSCut46130.

See Also

https://www.openssl.org/news/secadv/20150319.txt

http://www.nessus.org/u?2beef118

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCut46130

Plugin Details

Severity: High

ID: 90525

File Name: cisco-sa-20150320-openssl-ios.nasl

Version: 1.7

Type: combined

Family: CISCO

Published: 4/14/2016

Updated: 11/19/2019

Dependencies: cisco_ios_version.nasl

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Temporal Vector: CVSS2#E:U/RL:OF/RC:C

Vulnerability Information

CPE: cpe:2.3:o:cisco:ios:*:*:*:*:*:*:*:*

Required KB Items: Host/Cisco/IOS/Version

Exploit Ease: No known exploits are available

Patch Publication Date: 3/20/2015

Vulnerability Publication Date: 5/6/2014

Reference Information

CVE: CVE-2015-0209, CVE-2015-0286, CVE-2015-0287, CVE-2015-0288, CVE-2015-0289, CVE-2015-0293, CVE-2015-0292

BID: 73225, 73227, 73231, 73232, 73237, 73239, 73228

CISCO-BUG-ID: CSCut46130

CISCO-SA: cisco-sa-20150320-openssl