Google has released Chrome version 53.0.2785.89 for Windows, Mac, and Linux. This update addresses vulnerabilities that could allow an attacker to take control of an affected system.Users and administrators are encouraged to review the Google Chrome release blog and apply the necessary updates, click here for more information.

Cisco has released security updates to address vulnerability in several products. Exploitation of this vulnerability could allow an attacker to take control of an affected system.Users and administrators are encouraged to review Cisco Security Advisory and apply the necessary updates.
For more information please visit:-
• Cisco Wireless LAN Controller TSM SNMP Denial of Service Vulnerability
• Cisco WebEx Meetings Player Denial of Service Vulnerability
• Cisco Virtual Media Packager PAM API Unauthorized Access Vulnerability
• Cisco Wireless LAN Controller wIPS Denial of Service Vulnerability
• Cisco Small Business 220 Series Smart Plus Switches SNMP Unauthorized Access Vulnerability
• Cisco Small Business 220 Series Smart Plus Switches Web Interface Denial of Service Vulnerability
• Cisco Small Business 220 Series Smart Plus Switches Web Interface Cross-Site Scripting Vulnerability
• Cisco Small Business 220 Series Smart Plus Switches Web Interface Cross-Site Request Forgery Vulnerability
• Cisco Small Business SPA3x/5x Series Denial of Service Vulnerability
• Cisco WebEx Meetings Player Arbitrary Code Execution Vulnerability
• Cisco Hosted Collaboration Mediation Fulfillment Directory Traversal File System Vulnerability
• Cisco Hosted Collaboration Mediation Fulfillment Authenticated Directory Traversal Vulnerability

TZCERT-2014-12: VULNERABILITY ALERT

 SSL 3.0 Protocol Vulnerability and POODLE Attack

Date of First Release: 11-12-2014

Source: US-CERT, Symantec, IETF

System Affected:
All systems and applications utilizing the Secure Socket Layer (SSL) 3.0 with cipher-block chaining (CBC) mode ciphers may be vulnerable. However, the POODLE (Padding Oracle On Downgraded Legacy Encryption) attack demonstrates this vulnerability using web browsers and web servers, which is one of the most likely exploitation scenarios.

Overview:
The Secure Sockets Layer (SSL) 3.0 cryptograph protocol is vulnerable, a bug has been found in which an attacker could exploit and intercept the encrypted data transferred between the computers and servers.

Description:
The SSL 3.0 currently supported by most web browser, many TLS clients downgrade their cryptography protocol to SSL 3.0 when they are working with legacy servers. The POODLE attack takes advantage of the protocol version negotiation feature built into SSL/TLS to force the use of SSL 3.0 and then leverages this new vulnerability to decrypt select content within the SSL session. The decryption is done byte by byte and will generate a large number of connections between the client and server.

Environments such as public Wi-Fi, Hotspots makes this attack a real problem and this type of attack falls into the Man-in-the-Middle (MITM) category.

Impact:
By exploiting this vulnerability in a likely web-based scenario, an attacker can gain access to sensitive data passed within the encrypted web session, such as passwords, cookies and other authentication tokens that can then be used to gain more complete access to a website (impersonating that user, accessing database content, etc.)

Solution:
There is currently no fix for the vulnerability SSL 3.0 itself, as the issue is fundamental to the protocol; however, disabling SSL 3.0 support in system/application configurations is the most viable solution currently available.

Some of the same researchers that discovered the vulnerability also developed a fix for one of the prerequisite conditions; TLS_FALLBACK_SCSV is a protocol extension that prevents MITM attackers from being able to force a protocol downgrade. OpenSSL has added support for TLS_FALLBACK_SCSV to their latest versions and recommend the following upgrades:

•   OpenSSL 1.0.1 users should upgrade to 1.0.1j.

•   OpenSSL 1.0.0 users should upgrade to 1.0.0o.

•   OpenSSL 0.9.8 users should upgrade to 0.9.8zc.

Both clients and servers need to support TLS_FALLBACK_SCSV to prevent downgrade attacks

References:

 http://www.symantec.com/connect/blogs/ssl-30-vulnerability-poodle-bug-aka-poodlebleed

https://www.us-cert.gov/ncas/alerts/TA14-290A

https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-00

Symantec has released security updates to address vulnerabilities in multiple products. Exploitation of some of these vulnerabilities may allow remote attacker to take control of an affected system and cause a denial-of-service condition.

Users and administrators are encouraged to review the Symantec Security Advisory and apply the necessary updates.

For more information: SYM16-010 and SYM16-011

Google has released Chrome version 52.0.2743.82 for Windows, Mac, and Linux. This update addresses vulnerabilities that could allow an attacker to take control of an affected system.

Users and administrators are encouraged to review the Google Chrome release blog and apply the necessary updates.

Click here for more information.