Cisco Acknowledges OpenSSL Vulnerabilities

The San Jose, Calif.-based networking giant said the OpenSSL vulnerabilities affect Cisco IPS, Secure ACS, Security Agent, MARS, Unified Presence Server, SIP Proxy Server, Wireless LAN Controller and several other products.

The OpenSSL vulnerabilities could enable attackers to get around security restrictions, forge RSA signatures, trigger buffer overflows and launch denial-of-service attacks, according to a Cisco advisory issued Wednesday.

If a user has several vulnerable applications running on the same PC, it's possible that attackers could take advantage of a flaw in one application to compromise the entire system and then hit applications that aren't affected by the OpenSSL issues, the Cisco advisory said.

Products from Avaya, Sun Microsystems, Red Hat and Secure Computing and other vendors also are affected by the OpenSSL vulnerabilities, which were first reported in September.

Gary Berzack, CTO of eTribeca, a New York-based wireless integrator, said it would be unfortunate if Cisco were to move away from using OpenSSL in its products because the vulnerabilities could have been avoided with better quality-assurance testing.

"The QA should be even more strenuous than intellectual property designs, but since they have not had to pay for the initial development, they have to treat this as a part of the cost," Berzack said.

Cisco has yet to release patches for its vulnerable products, but the company said the issues could be mitigated by blocking the affected protocols at the network edge and ensuring that only legitimate IP addresses can connect to network devices.

Security firm Secunia gave the vulnerabilities a blanket rating of "highly critical," or a 4 on a 5-point scale.