A vulnerability in the SSL 3.0 protocol has been discovered, that allows an attacker to decrypt intercepted HTTPS communications when the CBC cipher is used.
In their default mode of operation, Opengear products disable CBC and are not affected.
The FIPS 140-2 standard mandates that CBC is enabled. When FIPS Mode is enabled on an Opengear product, ensure any SSL including HTTPS connections are from clients (e.g. web browsers) that support TLS rather than the legacy SSL 3.0 mode, to prevent fallback to the vulnerable protocol version.
Opengear will issue patched firmware that deprecates SSL 3.0 as part of our regular release cycle. For any additional questions, please email us at: support@opengear.com
The full advisory for CVE-2014-3566 can be found at: https://www.openssl.org/~bodo/ssl-poodle.pdf
Comments
0 comments
Article is closed for comments.