TLS Protocol Session Renegotiation Security Vulnerability

Unanswered Question

Has anyone out there been trying to figure out a way to deal with this TLS vulnerability?

An industry-wide vulnerability exists in the Transport Layer Security (TLS) protocol that could impact any Cisco product that uses any version of TLS and SSL. The vulnerability exists in how the protocol handles session renegotiation and exposes users to a potential man-in-the-middle attack.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20091109-tls.shtml

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
joe_ironport Mon, 11/16/2009 - 20:17

Can anyone from Cisco comment on whether or not the ESAs are affected by this vulnerability? If so should we expect a new build of ASYNC and when?

steven_geerts Thu, 11/26/2009 - 22:53

As far as I know Ironport supported TLS far before the Cisco take-over.

since the link is broken I can not read the Cisco advisory but i can imagine the Ironport product family is not involved in this issue.

Steven

I have updated the link.

This is a TLS/SSL vulnerability that is industry wide. it is a problem with the protocols themselves not the implementation. I am certain that it affects IronPort and have word that they are working on it.

I was hoping someone from IronPort would jump in and let us know what was going on, and when we would expect to see an update for the AsynchOS.

Thierry ZOLLER does a good job of explaining the issue at the below link.
http://www.g-sec.lu/practicaltls.pdf

Actions

This Discussion