* First let me say that SSL having vulnerabilities in any router product does not make YOU automatically vulnerable on computers behind the router. The SSL that THEY are talking about runs in the router itself. YOU DON”T USE that SSL in the router to, say, connect to your bank. You use SSL in your browser / operating system. — Alan Spicer.
Multiple Vulnerabilities in OpenSSL
The OpenSSL project released an advisory on June 5, 2014, which describes newly discovered vulnerabilities.
Some CradlePoint products utilize OpenSSL and are affected by this advisory.
CradlePoint Enterprise Cloud Manager – All Enterprise Cloud Manager instances updated with security fixes on 6/9/14 8 p.m. EDT
CradlePoint WiPipe Central – All WiPipe Central instances updated with security fixes on 6/9/14 8 p.m. EDT
CradlePoint Routers: Models listed below
The latest OpenSSL version 1.0.1h has been merged into the CradlePoint router firmware base and is expected to be released in the 5.2.0 firmware release on June 30, 2014.
Note that CBR400/450 and MBR95 are at End of Life and are affected, and there are no current plans to update them.
These vulnerabilities are mitigated in CradlePoint Enterprise Cloud Manager and WiPipe Central because the systems have been updated as of 6/9/14 8 p.m. EDT.
Regarding CradlePoint routers, we believe at this time that the CVE-2014-0224 vulnerability has the highest chance to be an issue for our customers, even though the potential risk is small. If either the client or the server (router) has been updated to the latest OpenSSL version, then this is no longer an issue.
SSL/TLS MITM vulnerability (CVE-2014-0224) may allow an attacker with a privileged network position (man-in-the-middle) to decrypt SSL encrypted communications.
DTLS recursion flaw (CVE-2014-0221) may allow an attacker to crash a DTLS client with an invalid handshake.
DTLS invalid fragment vulnerability (CVE-2014-0195) can result in a buffer overrun attack by sending invalid DTLS fragments to an OpenSSL DTLS client or server.
SSL_MODE_RELEASE_BUFFERS session injection or denial of service (CVE-2010-5298) may allow an attacker to cause a denial of service under certain conditions, when SSL_MODE_RELEASE_BUFFERS is enabled.
Anonymous ECDH denial of service (CVE-2014-3470) may allow an attacker to trigger a denial of service in SSL clients when anonymous ECDH ciphersuites are enabled.
More information on these issues can be found in the original OpenSSL advisory.
Alan Spicer Marine Telecom
+1 954 683 3426
communications @ marinetelecom.net