Vulnerability   
Search   
    Search 219043 CVE descriptions
and 99761 test descriptions,
access 10,000+ cross references.
Tests   CVE   All  

Test ID:1.3.6.1.4.1.25623.1.0.106428
Category:General
Title:Extreme ExtremeXOS DROWN Vulnerability
Summary:Extreme ExtremeXOS is prone to the OpenSSL 'DROWN' vulnerability.
Description:Summary:
Extreme ExtremeXOS is prone to the OpenSSL 'DROWN' vulnerability.

Vulnerability Insight:
The SSLv2 protocol requires a server to send a ServerVerify message before
establishing that a client possesses certain plaintext RSA data, which makes it easier for remote attackers to
decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle, aka a 'DROWN' attack.

All SSLv2 ciphers are disabled, but SSLv2 protocol is enabled on EXOS. Since EXOS is vulnerable to CVE-2015-3197,
SSLv2 ciphers can still be negotiated, which renders the switch vulnerable.

Vulnerability Impact:
Cross-protocol attack that could lead to decryption of TLS sessions.

Affected Software/OS:
Versions before 16.2.1 and 21.1.2.

Solution:
Upgrade to 16.2.1, 21.1.2, 22.1.1 or later.

CVSS Score:
4.3

CVSS Vector:
AV:N/AC:M/Au:N/C:P/I:N/A:N

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2016-0800
BugTraq ID: 83733
http://www.securityfocus.com/bid/83733
BugTraq ID: 91787
http://www.securityfocus.com/bid/91787
CERT/CC vulnerability note: VU#583776
https://www.kb.cert.org/vuls/id/583776
Cisco Security Advisory: 20160302 Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: March 2016
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160302-openssl
FreeBSD Security Advisory: FreeBSD-SA-16:12
https://security.FreeBSD.org/advisories/FreeBSD-SA-16:12.openssl.asc
https://security.gentoo.org/glsa/201603-15
HPdes Security Advisory: HPSBGN03569
http://marc.info/?l=bugtraq&m=145983526810210&w=2
HPdes Security Advisory: HPSBMU03573
http://marc.info/?l=bugtraq&m=146133665209436&w=2
HPdes Security Advisory: HPSBMU03575
http://marc.info/?l=bugtraq&m=146108058503441&w=2
https://drownattack.com
https://ics-cert.us-cert.gov/advisories/ICSA-16-103-03
RedHat Security Advisories: RHSA-2016:1519
http://rhn.redhat.com/errata/RHSA-2016-1519.html
http://www.securitytracker.com/id/1035133
SuSE Security Announcement: SUSE-SU-2016:0617 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00001.html
SuSE Security Announcement: SUSE-SU-2016:0620 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00002.html
SuSE Security Announcement: SUSE-SU-2016:0621 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00003.html
SuSE Security Announcement: SUSE-SU-2016:0624 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00004.html
SuSE Security Announcement: SUSE-SU-2016:0631 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00007.html
SuSE Security Announcement: SUSE-SU-2016:0641 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00012.html
SuSE Security Announcement: SUSE-SU-2016:0678 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00017.html
SuSE Security Announcement: SUSE-SU-2016:1057 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00038.html
SuSE Security Announcement: openSUSE-SU-2016:0627 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00005.html
SuSE Security Announcement: openSUSE-SU-2016:0628 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00006.html
SuSE Security Announcement: openSUSE-SU-2016:0637 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00009.html
SuSE Security Announcement: openSUSE-SU-2016:0638 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00010.html
SuSE Security Announcement: openSUSE-SU-2016:0640 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00011.html
SuSE Security Announcement: openSUSE-SU-2016:0720 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00025.html
SuSE Security Announcement: openSUSE-SU-2016:1239 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00015.html
SuSE Security Announcement: openSUSE-SU-2016:1241 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00017.html
CopyrightThis script is Copyright (C) 2016 Greenbone Networks GmbH

This is only one of 99761 vulnerability tests in our test suite. Find out more about running a complete security audit.

To run a free test of this vulnerability against your system, register below.




© 1998-2024 E-Soft Inc. All rights reserved.