Cisco responds to OpenSSL security flaw

Cisco Systems on Friday issued a security advisory regarding the use of open-source security software OpenSSL on several of its products. Cisco's advisory follows one issued in October by the OpenSSL Project, which noted that the vulnerabilities could lead to a malicious attacker launching remote code against users' systems.

OpenSSL is an open-source version of secure sockets layer, or SSL, encryption that is used by a number of Web browsers to secure data transmission over the Internet. Cisco's advisory noted that six of its product categories can be affected by the flaws: ASA 5500 and Cisco Pix running 7.x software; CiscoWorks Common Services versions 3.0 and 2.2; Cisco Mainframe Channel Connection PA-4C-E, PA-IC-E, PA-IC-P, CX-CIP2 tn3270 server; Cisco Global Site Selector 4480, 4490 and 4491; Cisco Wireless Control System Software and CiscoIOS-XR.

[Dachi]

Do you know what you are doing?

This is a man in the middle attack that can force the client to negotiate an SSL 2.0 session rather than an SSL 3.0 session and per the advisory, SSL 2.0 has "cryptographic weaknesses".

First man in the middle attacks are really difficult to perform.

Second, iff they didn't use SSL at all and sent the info in clear text people would not even bother calling it a vuln. But since it is possible to make the client negotiate an SSL 2.0 session instead of 3.0 people want to sensationalize like it is remote level 15 access.

Most people won't bother to look at the details of this release beyond "CISCO ROUTER VULNERABILITY" so all you have really done is give Cisco a black eye when they didn't even deserve it.

I think this article was irresponsible.