Return
-
Title
Is QCVDS susceptible to the vulnerabilities mentioned in OpenSSL security advisory secadv_20140605? -
Description
Is Quick Connect Virtual Directory Server (QCVDS) affected by the vulnerabilities mentioned in OpenSSL security advisory secadv_20140605.txt? -
Cause
More information about the OpenSSL vulnerabilities can be found here:http://www.openssl.org/news/secadv_20140605.txtOpenSSL security advisory secadv_20140605.txt contains the following vulnerabilities:- SSL/TLS MITM vulnerability (CVE-2014-0224)- DTLS recursion flaw (CVE-2014-0221)- DTLS invalid fragment vulnerability (CVE-2014-0195)- SSL_MODE_RELEASE_BUFFERS NULL pointer dereference (CVE-2014-0198)- SSL_MODE_RELEASE_BUFFERS session injection or denial of service (CVE-2010-5298)- Anonymous ECDH denial of service (CVE-2014-3470) -
Resolution
Virtual Directory Server is not affected by the DTLS and SSL_MODE_RELEASE_BUFFER vulnerabilities in this advisory.The following is a summary of our findings for these specific velnerabilities:DTLS recursion flaw (CVE-2014-0221)====================================Only affected if the customer does custom development (we do not use DTLS)DTLS invalid fragment vulnerability (CVE-2014-0195)====================================================Only affected if the customer does custom development (we do not use DTLS)SSL_MODE_RELEASE_BUFFERS NULL pointer dereference (CVE-2014-0198)=================================================================Only affected in version 1.0.0 and using SSL_MODE_RELEASE_BUFFERS (we do not use it)SSL_MODE_RELEASE_BUFFERS session injection or denial of service (CVE-2010-5298)===============================================================================Only affected in version 1.0.0 and using SSL_MODE_RELEASE_BUFFERS (we do not use it)Anonymous ECDH denial of service (CVE-2014-3470)================================================Affected but can be avoided by deselecting the anonymous Elliptic Curve Cipher Suites (from supported ciphers just remove it from the list, or create a list without this cipher as probably the list could be too high).To check the list of ciphers affected:openssl ciphers -v |grep ECDHSSL/TLS MITM vulnerability (CVE-2014-0224)===========================================AffectedCan result in a MIM being able to decrypt SSL protected traffic