Two of Cisco’s products are vulnerable to the POODLE attack via the TLS implementation in those products. The vulnerability affects Cisco’s Adaptive Security Appliance software and its Application Control Engine module.
The POODLE attack was disclosed in October by researchers from Google, who discovered that if an attacker can force a vulnerable Web server to fall back from a modern cryptographic protocol such as TLS to an older one such as SSLv3, under some circumstances he can then decrypt the secure connection. Originally, researchers believed that the attack was only effective against SSLv3, but last week Adam Langley from Google said that it also affected some implementations of TLS.
Langley discovered that appliances from F5 Networks and A10 Networks both were vulnerable to the POODLE attack on TLS and notified the vendors. He said at the time that he didn’t think he had identified every vulnerable implementation. Cisco on Monday said that some of its products also are vulnerable.
“A vulnerability in certain implementations of the TLSv1 protocol could allow an unauthenticated, remote attacker to access sensitive information,” the Cisco advisory says.
“The vulnerability is due to improper block cipher padding implemented in TLSv1 when using Cipher Block Chaining (CBC) mode. An attacker could exploit the vulnerability to perform an ‘oracle padding’ side channel attack on the cryptographic message. A successful exploit could allow the attacker to access sensitive information.”
Cisco did not say in its advisory whether there is a patch available to address the vulnerability in its products.