SSLv3 vulnerability, a.k.a. POODLE

hasherati · October 17, 2014, 4:07am

Per the SSLv3 vulnerabilities that came out on 10/14:

There doesn’t seem to be a way to adjust the HTTPS cipher settings to turn off the SSLv3 protocol (Balance 210 6.1.2 build 2717).
Really surprised I wasn’t able to find any mention of this yet on the forums or I’m totally missing it. Pretty serious issue. If it’s being discussed elsewhere, please do redirect me. Otherwise… will Peplink be releasing a patch to either disable SSLv3 or allow their customers to adjust the cipher settings?

Thanks!
Tom

pepuser · October 17, 2014, 6:10am

Tom,

We’re looking for the same information here - also finding no mention from anyone. I’m just tagging this on as a +1

Thanks,

Aron

rossh_pl · October 17, 2014, 7:37pm

Yes. Time for an update guys. Close off SSL3. Also time to update the cert and signature on the installed cert to SHA-256. The only browser that will loose access is old and not updated XP with original IE6, which hardly matters.

However, I’m surprised to also see TLS 1.2 is on. So it seems the opportunity to really update the TLS that the inbuilt https server provides.

You can get a look at your peplink https / TLS behavior with this

SSL Server Test (Powered by Qualys SSL Labs)

Keith · October 18, 2014, 1:32am

Quick update: Peplink is working on the security fix to be available in 6.2 GA. Thank you once again for your kind reminders.

hasherati · October 20, 2014, 1:51am

Thanks Keith, will the security patched 6.2 be available as a free upgrade for 6.1.2 users? Also, when are you targeting for a release date?

Tim_S · October 20, 2014, 10:43am

Yes, the update will be free. 6.2 is in beta build 2 right now so it shouldn’t be too much longer.

Keith · October 20, 2014, 4:09pm

Our security advisory is posted: Peplink | Pepwave - Forum

Disabling SSLv3 in your web browsers is a good enough measure for the short term. We will release updated firmwares in Nov.