Security Bulletin: Vulnerability in SSLv3 affects IBM/Cisco switches and directors (CVE-2014-3566)

Summary

SSLv3 contains a vulnerability that has been referred to as the Padding Oracle On Downgraded Legacy Encryption (POODLE) attack. SSLv3 is enabled in IBM/Cisco switches and directors.

Vulnerability Details

CVE-ID: CVE-2014-3566

DESCRIPTION: Product could allow a remote attacker to obtain sensitive information, caused by a design error when using the SSLv3 protocol. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via a POODLE (Padding Oracle On Downgraded Legacy Encryption) attack to decrypt SSL sessions and access the plaintext of encrypted connections.

CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/97013 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

Affected Products and Versions

Cisco switches running the 6.2.x and 5.2.x releases
IBM MTM:

9710-E06MDS 9706 Director

9711-S48MDS 9148S Switch

9710-E01MDS 9250i Multilayer Fabric Switch

9710-E08MDS 9710 Director

2054-E01MDS 9222i Multilayer Fabric Switch

2054-E04(2062-D04) MDS 9506 Multilayer Director

**2054-E11 (**2062-E11) MDS 9513 Multilayer Director

2054-E07(2062-D07) MDS 9509 Multilayer Director

2053-424(2417-C24) MDS 9124 Fabric Switch

2053-434(2053-S34) MDS 9134 Fabric Switch

2417-C48MDS 9148 Fabric Switch

3722-S515010 Switch

3722-S525020 Switch

Remediation/Fixes

Release 5.2.8f:_
http://www.cisco.com/c/en/us/td/docs/switches/datacenter/mds9000/sw/5_2/release/notes/nx-os/mds_nxos_rn_528f.html
**
Release 6.2.11b**:
_http://www.cisco.com/c/en/us/td/docs/switches/datacenter/mds9000/sw/6_2/release/notes/nx-os/mds_nxos_rn_6_2_11b.html

Workarounds and Mitigations

NA