DCO - Vulnerability using Protocol SSL - TLS

Hi Martin!!, I have found an APC information (see link: http://www.schneider-electric.us/sites/us/en/support/faq/faq_main.page?page=content&country=US〈=en&i... ) that explains us that after DCO revision 7.4.1 the vulnerability with name "Poodle" - CVE-2014-3566 was fixed with a patch.  Do you know what was the Schneider solution to resolve this vulnerability? If Schneider did not use TLS to resolve the issue, what was the SE solution?...

(CID:105457248)

The package base was updated to include patched versions of the affected components. Additionally, in the default configuration, the server rejects SSLv2 and SSLv3 connections. DCO 7.5 supports TLS 1.0.

(CID:105457290)

Luis Lopez Borbon POODLE exploits a bug in TLS which enabled a man-in-the-middle to downgrade a connection to SSLv3. But it requires the server to support SSLv3. So the POODLE patch for DCO disables SSLv3.

(CID:105457337)

If I disable the SSL in the DCO user interface, the DCO is accessible using a not secure communication between server and client, this means: use http and port 80. This is completely unacceptable for my customer. How can I do??? thanks! 

(CID:105457371)

Martin Kamp Jensen If DCO supports TLS 1.0, how can I enable TLS 1.0 in DCO?? I know how and where to disable SSL protocol but I don’t know where can I enable the TLS protocol. My customer requires getting access to the DCO server only using TLS (SSL must be disabled, it is mandatory!)..please help!

(CID:105457372)

DCO 7.5 supports and uses TLS 1.0 while SSLv2 and SSLv3 are already disabled out-of-the-box. You do not need to perform any steps to secure DCO 7.5 against "Poodle". We are aware of DCO 7.5 requiring too many open ports (e.g. port 80 and other ports between cluster nodes as per the link I provided in the original answer). This will be handled in DCO 8.0. Unfortunately, we do support limiting the open ports in DCO 7.5.

(CID:105457507)

Hi Martin,

Please assist.

We have this vulnerability error - "openssl multiple ssl_mode_release_buffers Denial of service vulnerabilities" ( SSL/TLS MITM vulnerability (CVE-2014-0224)

We are running DCO v8.0.2 and I am told this version has a built in fix for this specific vulnerability.

From research, this vulnerability only occurs when its enabled, may I disable "openssl multiple ssl_mode_release_buffers?  and if so, what is the impact, also how do I go about this ?

Any help is greatly appreciated!

Kind regards

(CID:122688657)

Hi juice

I'm curios as to learn how you detect this vulnerability.  What tool are you using?

The CVE-2014-0224 vulnerability is fixed in DCO 8.0.2 – you can verify this in several ways – the easiest way is to log into the server and:

Run the command:

rpm -qa openssl

Result:

openssl-1.0.1e-42.el7_1.9.x86_64

This lists the version of Openssl we are using.

Run the command:

rpm -q --changelog openssl

Result (a list of all fixes in this version of openssl)

* Tue Jun 23 2015 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-42.9

- fix the CVE-2015-1791 fix (broken server side renegotiation)

* Tue Jun 03 2014 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-34.3

- fix CVE-2010-5298 - possible use of memory after free

- fix CVE-2014-0195 - buffer overflow via invalid DTLS fragment

- fix CVE-2014-0198 - possible NULL pointer dereference

- fix CVE-2014-0221 - DoS from invalid DTLS handshake packet

- fix CVE-2014-0224 - SSL/TLS MITM vulnerability

- fix CVE-2014-3470 - client-side DoS when using anonymous ECDH

As you can see this issue is fixed in the version of openSSL we use in DCO 8.0.2

Best Regards

    Anders

(CID:122693386)

Hi Anders

Thank you very much for you effort in making me understand - much appreciated.

Our security team uses McAfee Vulnerability Manager which basically identifies possible threats to the network in terms of firewall and intrusions.

I will give it ago and if necessary will consult our local agent.

much appreciated.

(CID:123340498)