Workarounds that mitigate these vulnerabilities may be available.
#CISCO JABBER VIDEO FOR TELEPRESENCE ADMINISTRATOR GUIDE SOFTWARE#
Cisco will release software updates that address these vulnerabilities. This advisory will be updated as additional information becomes available. Devices that are simply traversed by SSL traffic without terminating it are not affected. Please note that the devices that are affected by this vulnerability are the devices acting as an SSL server terminating SSL connections or devices acting as an SSL Client initiating an SSL connection. The disclosed portions of memory could contain sensitive information that may include private keys and passwords. An exploit could allow the attacker to disclose a limited portion of memory from a connected client or server for every heartbeat packet sent. An exploit could send a specially crafted TLS or DTLS heartbeat packet to the connected client or server. An attacker could exploit this vulnerability by implementing a malicious TLS or Datagram Transport Layer Security (DTLS) client, if trying to exploit the vulnerability on an affected server, or a malicious TLS or DTLS server, if trying to exploit the vulnerability on an affected client. The vulnerability is due to a missing bounds check in the handling of the Transport Layer Security (TLS) heartbeat extension. Multiple Cisco products incorporate a version of the OpenSSL package affected by a vulnerability that could allow an unauthenticated, remote attacker to retrieve memory in chunks of 64 kilobytes from a connected client or server.
0 kommentar(er)
