Cisco kills FREAK flaw in its OpenSSL kit

Cisco has flagged a monster security update for dozens of Cisco security products affected by eight OpenSSL flaws, including the FREAK SSL/TLS bug.

Cisco’s updates address eight vulnerabilities that the OpenSSL Project disclosed on January 8, which included among them FREAK — though at the time the disclosure lacked the detail that researchers made available this week.

Cisco said it its product security incident response team (PSIRT) began publicly disclosing the effect to Cisco products well before increased public discussion of FREAK.

The FREAK flaw was widely reported this week as an example of the unintended effects of creating lawful backdoors in encryption. A man-in-the-middle attacker could force TLS client into using weak encryption keys.

Google has released fixes for Chrome on the desktop and has distributed patches to Android device manufacturers and carriers, while Apple patched the bug in updates for OS X, iOS and Apple TV yesterday. Microsoft has a fix in its March Patch Tuesday update for affected Windows systems that use Schannel.

Cisco said the vulnerability in OpenSSL could allow an unauthenticated, remote attacker to bypass security restrictions.

“The vulnerability is due to improper handling of an RSA temporary key. An attacker with a privileged network position could exploit the vulnerability by returning a weak temporary RSA key to a system using an application that uses the vulnerable OpenSSL library,” it said.

“When processed, the insecure temporary key could result in reduced cryptographic protections, which could allow the attacker to bypass security protections.”

The company lists dozens of products variously affected by the eight OpenSSL bugs in January, spanning Cisco’s hosted services products; wireless products; video, streaming, TelePresence, and transcoding devices; voice and unified communicates devices; unified computing, routing and switching for small business as well as several enterprise and service provider products; network management and provisioning; network and content security devices; network application, service and acceleration products; endpoint clients and client software; as well as collaboration and social media products.

This article is brought to you by Enex TestLab, content directors for CSO Australia.