Cisco battles POODLE with a listicle and some twaddle

Borg lists products on which SSL 3.0 vuln has lifted leg, promises fixes

3 Reg comments Got Tips?

Cisco has joined the growing list of vendors scrambling a response to the POODLE vulnerability, with a number of systems confirmed vulnerable and more under investigation.

The Borg's current POODLE status only clears one system: the Cisco Adaptive Security Device Manager.

The company says its ongoing assessment of products for their POODLE status identifies kit or software as vulnerable if two conditions are met: SSLv3 is supported, and it offers a block cipher in CBC mode.

The vulnerable list includes Webex Social, the AnyConnect client, application acceleration, various products in the adaptive security range, Nexus 3000 and 9000 variants, the ACI/APIC policy controller, its TelePresence server, and the Cisco Wireless LAN Controller.

The standard advice – disable SSLv3 – is given while the company works on fixes (which will presumably be to simply remove the offending protocol, since it's another decaying zombie protocol that only endures for reasons of backwards-compatibility.

As revealed by The Register, the vulnerability dubbed POODLE allows an attacker in a man-in-the-middle position to grab a victim's session cookies. ®


Biting the hand that feeds IT © 1998–2020