11-11-2009 03:36 PM
Has anyone out there been trying to figure out a way to deal with this TLS vulnerability?
An industry-wide vulnerability exists in the Transport Layer Security (TLS) protocol that could impact any Cisco product that uses any version of TLS and SSL. The vulnerability exists in how the protocol handles session renegotiation and exposes users to a potential man-in-the-middle attack.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20091109-tls.shtml
11-16-2009 08:17 PM
Can anyone from Cisco comment on whether or not the ESAs are affected by this vulnerability? If so should we expect a new build of ASYNC and when?
11-26-2009 10:53 PM
As far as I know Ironport supported TLS far before the Cisco take-over.
since the link is broken I can not read the Cisco advisory but i can imagine the Ironport product family is not involved in this issue.
Steven
11-30-2009 05:09 PM
I have updated the link.
This is a TLS/SSL vulnerability that is industry wide. it is a problem with the protocols themselves not the implementation. I am certain that it affects IronPort and have word that they are working on it.
I was hoping someone from IronPort would jump in and let us know what was going on, and when we would expect to see an update for the AsynchOS.
Thierry ZOLLER does a good job of explaining the issue at the below link.
http://www.g-sec.lu/practicaltls.pdf
11-30-2009 09:14 PM
As pointed out, this is a vulnerability in the protocol design itself and not with the implementation.
Cisco IronPort is actively investigating and more information will be posted on the Cisco advisory page http://www.cisco.com/en/US/products/products_security_advisory09186a0080b01d1d.shtml
Best
Kishore
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: