Security Experts:

Connect with us

Hi, what are you looking for?



Vulnerable TLS Implementation Exposes Cisco Products to POODLE Attacks

Two products from Cisco are vulnerable to a new variant of the Padding Oracle On Downgraded Legacy Encryption (POODLE) attack, the company said in a security advisory.

Two products from Cisco are vulnerable to a new variant of the Padding Oracle On Downgraded Legacy Encryption (POODLE) attack, the company said in a security advisory.

POODLE attacks, which can be leveraged by a remote attacker to gain access to encrypted information, were initially believed to work only against the Secure Sockets Layer (SSL) 3.0 protocol. However, on December 8, researchers confirmed that some implementations of the transport layer security (TLS) 1.x protocol are also vulnerable.

The Cisco Adaptive Security Appliance (ASA) Software and the Cisco ACE Application Control Engine Module are affected, Cisco said in its advisory.

“The vulnerability is due to improper block cipher padding implemented in TLSv1 when using Cipher Block Chaining (CBC) mode. An attacker could exploit the vulnerability to perform an ‘oracle padding’ side channel attack on the cryptographic message. A successful exploit could allow the attacker to access sensitive information,” the company noted.

Cisco ACE 4700 Series Application Control Engine Appliances are not affected, although Cisco warns that some scanners might erroneously flag them as being vulnerable. Other Cisco products might also be listed in the advisory in the upcoming period.

Cisco plans on providing software updates that address the vulnerability, which has been rated as a medium-severity issue (CVSS score of 4.3 out of 10), the company’s representatives told SecurityWeek. Customers who have a account can track the timing and progress of the updates by clicking on the “More Information” section of the security notice.

Experts pointed out that POODLE attacks could also work against TLS back in October, shortly after the existence of the flaw was disclosed. The reports were confirmed last week by Google security engineer Adam Langley, who identified several high-profile websites that had been susceptible to attacks.

The researcher determined that the affected sites had been using load balancers from A10 Networks and F5 Networks. Both A10 Networks and F5 Networks released updates to address the problem.

Cisco, A10 Networks and F5 Networks all used the same CVE identifier for the issue, CVE-2014-8730. However, NIST’s National Vulnerability Database noted that a different CVE identifier should be used for each vulnerable implementation since the flaw isn’t in the design of TLS 1.x itself.

There are still numerous websites vulnerable to POODLE attacks, according to the Qualys’ SSL Server Test.

“Some firms still aren’t aware of the risks, others are aware but are unable/unwilling to patch it for fear or creating significant downtime if something goes wrong. A bank (for example) using F5s could potentially lose millions if a patch fails, knocking mission-critical services offline,” Paul Moore, information security consultant at UK-based Urity Group, told SecurityWeek.

According to Moore, the SSL Server Test shows many high-profile websites in the UK are vulnerable to POODLE, including the ones of the country’s Labor and Conservative parties. Even the British government’s Get Safe Online site is affected.

“In the last 6 months, we’ve seen critical exploits in several protocols/cipher suites which were previously deemed ‘secure’. Perhaps it’s time to move away from that idealistic notion; opting instead for a more realistic ‘known/not known to be insecure’,” Moore said.

*Updated with patching information from Cisco

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.


A high-severity format string vulnerability in F5 BIG-IP can be exploited to cause a DoS condition and potentially execute arbitrary code.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.