SCSP 3rd Party Component Security Alert information

book

Article ID: 159339

calendar_today

Updated On:

Products

Critical System Protection Critical System Protection Client Edition

Issue/Introduction

SSL/TLS MITM vulnerability (CVE-2014-0224)

CVE-2014-0224 could allow for a man-in-the-middle attack against an encrypted connection.  The vulnerability can only be exploited if both server and client are vulnerable to this issue.  In the event that one of the two is vulnerable, there is no risk of exploitation.  Since the SCSP server does not use OpenSSL for communications with the SCSP agent, SCSP is not susceptible to this vulnerability.  This is true for all releases of SCSP and SDCSS.

DTLS recursion flaw (CVE-2014-0221)

The SCSP/SDCSS agent uses OpenSSL for TLS connections to the SCSP management server, it does not use the DTLS protocol.  Therefore SCSP is not susceptible to this vulnerability. 

DTLS invalid fragment vulnerability (CVE-2014-0195)

The SCSP/SDCSS agent uses OpenSSL for TLS connections to the SCSP management server, it does not use the DTLS protocol. Therefore SCSP is not susceptible to this vulnerability. 

SSL_MODE_RELEASE_BUFFERS NULL pointer dereference (CVE-2014-0198)

SCSP 5.2.9 and later is not susceptible to CVE-2014-0198 -- SCSP/SDCSS does not enable the SSL_MODE_RELEASE_BUFFERS feature within OpenSSL.  

SSL_MODE_RELEASE_BUFFERS session injection or denial of service (CVE-2010-5298)

SCSP 5.2.9 and later is not susceptible to CVE-2010-5298 -- SCSP/SDCSS does not enable the SSL_MODE_RELEASE_BUFFERS feature within OpenSSL.  

Anonymous ECDH denial of service (CVE-2014-3470)

OpenSSL TLS clients enabling anonymous ECDH ciphersuites are subject to a denial of service attack.  The SCSP server controls what cipher suite is used in the server/agent communications.  The SCSP server does not support anonymous ECDH ciphersuites in its default configuration.  Therefore SCSP is not susceptible to this vulnerability in its default configuration.

 

Resolution

SCSP/SDCSS is not vulnerable to any of these vulnerabilities.