Hi All,Just thought I updated

Chris Swinney · ‎10-17-2014

Hi all,

Another day, another vulnerability. Feel like we are swimming against the tide.

Now, SSL v3 has been shown to be vulnerable (looks like a protocol issue, not an implementation issue, so patches are doubtful) and so I am looking at what we can do to mitigate this. Clients (such as IE, Firefox and Chrome (sort of)) can be set to disable SSL v3, but rolling this out across an Enterprise might not be that easy.

In IIS (that would be running TMS) you can switch off SSL v3 via a reg edit, but are there any knock on effect? What about the web services built into CODECs, MCUs and other infrastructure devices - can SSL v3 be switched off?

Look forward to the responses.

Cheers

Chris

Patrick Sparkman · ‎10-21-2014

Cisco released an advisory for this, there are so far several TelePresence devices listed, with others being investigated.

cisco-sa-20141015-poodle

Chris Swinney · ‎10-22-2014

Hi All,

Just thought I updated this.

TMS on Windows 2008 R2

I have updated the OS on our TMS server (in fact on all our Windows servers), to disable SSLv3 and switch off some insecure Ciphers. There are many ways to do this as it involves Registry edits and Policy objects, but one of the simplest I found was to use a tool from NARTAC Software (https://www.nartac.com/Products/IISCrypto/Default.aspx). After ensuring that SSLv3 is off, running a scan (from https://www.ssllabs.com/ssltest/index.html) showed that all was good (well good enough), and I see no odd side effects at this point in time. I guess that if you still have clients running XP with IE6 that need to connect to TMS, you might have some problems, but if you still run XP and IE6, you have real problems ;)

VCS x8.2.2

Our VCS have the firewalls in place to limit management from only our internal network, but as a test I opened one up and scanned using the SSL Labs tool above. All is good and SSLv3 is already disabled.

Cisco bug CSCur23698 - Cisco TelePresence VCS : evaluation of SSLv3 POODLE vulnerability

I haven't test any of our CODECs as again these are generally behind firewalls and we don't use individual certificates, so can't scan with this tool.

Cheers

Chris

Chris Swinney · ‎10-22-2014

Hi All,

This tidbit is not Cisco orientated per se, but some of you might find it useful (if you haven't found the info yourselves already (it's what I sent around to my team here):

There are many things you can do to mitigate this vulnerability, as you can also disable SSL3 in various clients (although this might affect communication with legacy systems)

Firefox – Version 34 (due for release at the end of November) will disable SSL v3 by default, but they have released a plug in that can disable this immediately. See https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/
IE – You can turn off SSL 3 from the Settings -->Internet Options --> Advanced --> Security, section however, if you find that the options to check SSL/TLS are greyed out (as they are on my machine), this maybe a hang over from previous security software installation.
However, I will override this using GPO so domain joined PCs will have this setting updated. The GPO applied to the domain is:
Computer Setting --> Administrative Templates --> Windows Components --> Internet Explorer --> Internet Control Panel --> Advanced Page --> Turn Off Encryption Support = TLS 1.0, TLS 1.1, and TLS 1.2 ONLY
Chrome – This is a little more difficult. It seem you can only do this at this moment in time by adding a switch to the start-up command (you can modify the shortcut on either Windows or Mac). Check out https://zmap.io/sslv3/browsers.html

Mitigting SSL v3 POODLE Vulnerability (CVE-2014-3566)