Cisco Systems on Friday issued a security advisory regarding the use of open-source security software OpenSSL on several of its products. Cisco's advisory follows one issued in October by the OpenSSL Project, which noted that the vulnerabilities could lead to a malicious attacker launching remote code against users' systems.
OpenSSL is an open-source version of secure sockets layer, or SSL, encryption that is used by a number of Web browsers to secure data transmission over the Internet. Cisco's advisory noted that six of its product categories can be affected by the flaws: ASA 5500 and Cisco Pix running 7.x software; CiscoWorks Common Services versions 3.0 and 2.2; Cisco Mainframe Channel Connection PA-4C-E, PA-IC-E, PA-IC-P, CX-CIP2 tn3270 server; Cisco Global Site Selector 4480, 4490 and 4491; Cisco Wireless Control System Software and CiscoIOS-XR.
This is a man in the middle attack that can force the client to negotiate an SSL 2.0 session rather than an SSL 3.0 session and per the advisory, SSL 2.0 has "cryptographic weaknesses".
First man in the middle attacks are really difficult to perform.
Second, iff they didn't use SSL at all and sent the info in clear text people would not even bother calling it a vuln. But since it is possible to make the client negotiate an SSL 2.0 session instead of 3.0 people want to sensationalize like it is remote level 15 access.
Most people won't bother to look at the details of this release beyond "CISCO ROUTER VULNERABILITY" so all you have really done is give Cisco a black eye when they didn't even deserve it.
Apple's stock hits a high of $503.83 this morning before retreating to below the $500 mark. Goldman Sachs says it believes Apple could rise to $550 a share in the next 12 months.
Tommy Jordan, the man who shot his daughter's laptop for YouTube, gets a visit from police and child protection services. Oh, and Good Morning America.
The Samsung Galaxy Mini 2 S6500 could make its debut at the Mobile World Congress in Barcelona later this month, according to a leaked promotional image.
RIM isn't doing much to innovate their handset designs, so maybe they should call up designer John Anastasiadis, who has a pretty interesting concept for a BlackBerry.
First man in the middle attacks are really difficult to perform.
Second, iff they didn't use SSL at all and sent the info in clear text people would not even bother calling it a vuln. But since it is possible to make the client negotiate an SSL 2.0 session instead of 3.0 people want to sensationalize like it is remote level 15 access.
Most people won't bother to look at the details of this release beyond "CISCO ROUTER VULNERABILITY" so all you have really done is give Cisco a black eye when they didn't even deserve it.
I think this article was irresponsible.