Now on Demand: Threat Detection and Incident Response (TDIR) Summit - All Sessions Available
Connect with us

Hi, what are you looking for?



Vulnerable TLS Implementation Exposes Cisco Products to POODLE Attacks

Two products from Cisco are vulnerable to a new variant of the Padding Oracle On Downgraded Legacy Encryption (POODLE) attack, the company said in a security advisory.

Two products from Cisco are vulnerable to a new variant of the Padding Oracle On Downgraded Legacy Encryption (POODLE) attack, the company said in a security advisory.

POODLE attacks, which can be leveraged by a remote attacker to gain access to encrypted information, were initially believed to work only against the Secure Sockets Layer (SSL) 3.0 protocol. However, on December 8, researchers confirmed that some implementations of the transport layer security (TLS) 1.x protocol are also vulnerable.

The Cisco Adaptive Security Appliance (ASA) Software and the Cisco ACE Application Control Engine Module are affected, Cisco said in its advisory.

“The vulnerability is due to improper block cipher padding implemented in TLSv1 when using Cipher Block Chaining (CBC) mode. An attacker could exploit the vulnerability to perform an ‘oracle padding’ side channel attack on the cryptographic message. A successful exploit could allow the attacker to access sensitive information,” the company noted.

Cisco ACE 4700 Series Application Control Engine Appliances are not affected, although Cisco warns that some scanners might erroneously flag them as being vulnerable. Other Cisco products might also be listed in the advisory in the upcoming period.

Cisco plans on providing software updates that address the vulnerability, which has been rated as a medium-severity issue (CVSS score of 4.3 out of 10), the company’s representatives told SecurityWeek. Customers who have a account can track the timing and progress of the updates by clicking on the “More Information” section of the security notice.

Experts pointed out that POODLE attacks could also work against TLS back in October, shortly after the existence of the flaw was disclosed. The reports were confirmed last week by Google security engineer Adam Langley, who identified several high-profile websites that had been susceptible to attacks.

The researcher determined that the affected sites had been using load balancers from A10 Networks and F5 Networks. Both A10 Networks and F5 Networks released updates to address the problem.

Advertisement. Scroll to continue reading.

Cisco, A10 Networks and F5 Networks all used the same CVE identifier for the issue, CVE-2014-8730. However, NIST’s National Vulnerability Database noted that a different CVE identifier should be used for each vulnerable implementation since the flaw isn’t in the design of TLS 1.x itself.

There are still numerous websites vulnerable to POODLE attacks, according to the Qualys’ SSL Server Test.

“Some firms still aren’t aware of the risks, others are aware but are unable/unwilling to patch it for fear or creating significant downtime if something goes wrong. A bank (for example) using F5s could potentially lose millions if a patch fails, knocking mission-critical services offline,” Paul Moore, information security consultant at UK-based Urity Group, told SecurityWeek.

According to Moore, the SSL Server Test shows many high-profile websites in the UK are vulnerable to POODLE, including the ones of the country’s Labor and Conservative parties. Even the British government’s Get Safe Online site is affected.

“In the last 6 months, we’ve seen critical exploits in several protocols/cipher suites which were previously deemed ‘secure’. Perhaps it’s time to move away from that idealistic notion; opting instead for a more realistic ‘known/not known to be insecure’,” Moore said.

*Updated with patching information from Cisco

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Wendy Zheng named as CFO and Joe Diamond as CMO at cyber asset management firm Axonius.

Intelligent document processing company ABBYY has hired Clayton C. Peddy as CISO.

Digital executive protection services provider BlackCloak has appointed Ryan Black as CISO.

More People On The Move

Expert Insights