Skip Links

Network World

Jim Duffy

Cisco issues TLS advisory

Still evaluating which products are affected; VPN client cleared

By Cisco Subnet on Fri, 11/13/09 - 3:08pm.
Newsletter Signup

While everyone was distracted by the HP/3Com deal, Cisco this week quietly issued a security advisory warning of an "industry-wide" vulnerability in the Transport Layer Security (TLS) protocol that could impact any Cisco product that uses TLS or the Secure Socket Layer (SSL) protocol. Cisco was still determining which products are affected at the time of this post, but had also already cleared its AnyConnect VPN Client of any susceptibility.

According to the Cisco advisory, a vulnerability exists in the way TSL handles session renegotiation that exposes users to a potential man-in-the-middle attack. In addition to affected products, Cisco was still determining the impact of the vulnerability, and fixes and workarounds for it.  

The vulnerability was initially discovered by PhoneFactor, Inc. Cisco says is not aware of any malicious exploitation of this vulnerability but a proof-of-concept exploit code has been published for it.

Customers might want to check back on this advisory regularly to determine which, if any, products might be vulnerable.

 

More from Cisco Subnet:

Win great stuff from Cisco Subnet Like e-mail? Subscribe to the Cisco Alert newsletter.
Like RSS readers? Subscribe to the Cisco Subnet RSS feed

Follow all Cisco Subnet bloggers on Twitter.
Follow Jim Duffy on Twitter

Glad

0
By Anon (not verified) on Mon, 11/16/2009 - 7:04pm.

Glad to see Cisco is being proactive and doing due diligence in testing it's products.

Also good to see that Cisco is notifying the global community that such a vulnerability exists in all TLS capable products.

Note: To Author, you wrote TSL, which should be corrected to TLS in the 2nd paragraph.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Post new comment

The content of this field is kept private and will not be shown publicly.
  • You can use BBCode tags in the text.
  • Lines and paragraphs break automatically.
  • Allowed HTML tags: <p> <strong> <i> <br /> <br> <ul> <ol> <li> <dl> <dt> <dd> <blockquote>

More information about formatting options

CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.
Welcome, visitor. Register Log in
About Cisco Subnet Blog

The Cisco Subnet blog is written by Network World managing editor Jim Duffy and is the official blog of Network World's Cisco Subnet community. The Cisco Subnet site is managed by Online Community Editor Julie Bort. Cisco Subnet is the independent voice of Cisco customers and is your gateway to daily Cisco news, blogs, opinion, books, prize giveaways and more. Visit the Cisco Subnet home page daily and while you are there, subscribe to the Cisco Alert e-mail newsletter, which includes news and views generated by the Cisco Subnet community as well as Cisco-related stories on Network World and elsewhere on the Web.