====================================================================

                            CERT-Renater

               Note d'Information No. 2016/VULN086
_____________________________________________________________________

DATE                : 03/03/2016

HARDWARE PLATFORM(S): Cisco.

OPERATING SYSTEM(S): Cisco software running SSL versions 2.

======================================================================
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160302-openssl
_____________________________________________________________________

Cisco Security Advisory: Multiple Vulnérabilises in OpenSSL Affecting
Cisco Products: March 2016

Advisory ID: cisco-sa-20160302-openssl

Version 1.0: Interim

For Public Release: 2016 March 2 19:30  UTC (GMT)

+---------------------------------------------------------------------

Summary
=======
On March 1, 2016, the OpenSSL Software Foundation released a security
advisory detailing seven vulnerabilities and a new attack, referred to
as the Decrypting RSA with Obsolete and Weakened eNcryption (DROWN)
attack. A total of eight Common Vulnerabilities and Exposures (CVEs)
were assigned. Of the eight CVEs, three relate to the DROWN attack. The
remaining CVEs track low severity vulnerabilities.

DROWN is a cross-protocol attack that actively exploits weaknesses in
SSL version 2 (SSLv2) to decrypt passively collected Transport Layer
Security (TLS) sessions. DROWN does not exploit a vulnerability in the
TLS protocol or any specific implementation of the protocol.

To execute a successful DROWN attack, the attacker must identify a
server that supports both SSLv2 and TLS, and uses the same RSA key pair
for both protocols. The attacker must also be able to collect TLS
traffic for the server.

This advisory will be updated as additional information becomes
available.

This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160302-openssl

==========================================================
Serveur de référence du CERT-Renater
https://services.renater.fr/ssi/
==========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44           +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41           +
+ 75013 Paris           | email: cert@support.renater.fr +
==========================================================