Cisco issues TLS advisory

Still evaluating which products are affected; VPN client cleared

While everyone was distracted by the HP/3Com deal, Cisco this week quietly issued a security advisory warning of an "industry-wide" vulnerability in the Transport Layer Security (TLS) protocol that could impact any Cisco product that uses TLS or the Secure Socket Layer (SSL) protocol. Cisco was still determining which products are affected at the time of this post, but had also already cleared its AnyConnect VPN Client of any susceptibility.

According to the Cisco advisory, a vulnerability exists in the way TSL handles session renegotiation that exposes users to a potential man-in-the-middle attack. In addition to affected products, Cisco was still determining the impact of the vulnerability, and fixes and workarounds for it.  

The vulnerability was initially discovered by PhoneFactor, Inc. Cisco says is not aware of any malicious exploitation of this vulnerability but a proof-of-concept exploit code has been published for it.

Customers might want to check back on this advisory regularly to determine which, if any, products might be vulnerable.

More from Cisco Subnet:

• Cisco rival Brocade for sale?
• HP blade counters Cisco security approach
• What's next for Cisco after Tandberg deal?
• Manly Man IOS Features
• Cisco Releases IOS 15.0
• Cisco training and network design books up for grabs in October

Win great stuff from Cisco Subnet Like e-mail? Subscribe to the Cisco Alert newsletter.
Like RSS readers? Subscribe to the Cisco Subnet RSS feed

Follow all Cisco Subnet bloggers on Twitter.
Follow Jim Duffy on Twitter

• Cisco
• Cisco security advisory
• Cisco security alert
• security
• TLS