Reset Search
 

 

Article

JSA10544 - 2012-11 Security Bulletin: Steel-Belted Radius: Multiple OpenSSL Vulnerabilities

« Go Back

Information

 
Product AffectedSteel-Belted Radius Carrier (SBR Carrier) 7.4<br/>
Steel-Belted Radius Carrier (SBR Carrier) 7.3<br/>
Steel-Belted Radius Carrier (SBR Carrier) 7.2.4<br/>
Steel-Belted Radius Carrier (SBR Carrier) 7.2<br/>
Steel-Belted Radius v6.1.0 (Enterprise, Global En
Problem

OpenSSL software distributed with Steel-Belted Radius is vulnerable to CVE-2011-4619, and CVE-2011-4576. These may allow decrypting encrypted information or cause a denial of service condition for the Steel-Belted Radius server.

CVE-2011-4576 The SSL 3.0 implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f does not properly initialize data structures for block cipher padding, which might allow remote attackers to obtain sensitive information by decrypting the padding data sent by an SSL peer.
CVSS v2 Base Score:5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVE-2011-4619 The Server Gated Cryptography (SGC) implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f does not properly handle handshake restarts, which allows remote attackers to cause a denial of service condition.
CVSS v2 Base Score:5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)

Solution
These vulnerabilities are fixed in:
Steel-Belted Radius Carrier (SBR Carrier) 7.4.1 or later
SBR EE Software 6.1.7 or later
SBR GE Software 6.1.7 or later
 

 

Workaround
There are no viable workarounds that can mitigate these vulnerabilities for Steel-Belted Radius products.
Use access lists or firewall filters to limit access to the Steel-Belted Radius server only from trusted hosts.
Implementation
Related Links
CVSS Score5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
Risk Assessment
Acknowledgements
Alert TypePSN - Product Support Notification
Risk LevelMedium
Attachment 1 
Attachment 2 
Legacy IDPSN-2012-11-768, JSA10544

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255