SSLv3 vulnerability, a.k.a. POODLE


#1

Per the SSLv3 vulnerabilities that came out on 10/14:

There doesn’t seem to be a way to adjust the HTTPS cipher settings to turn off the SSLv3 protocol (Balance 210 6.1.2 build 2717).
Really surprised I wasn’t able to find any mention of this yet on the forums or I’m totally missing it. Pretty serious issue. If it’s being discussed elsewhere, please do redirect me. Otherwise… will Peplink be releasing a patch to either disable SSLv3 or allow their customers to adjust the cipher settings?

Thanks!
Tom


#2

Tom,

We’re looking for the same information here - also finding no mention from anyone. I’m just tagging this on as a +1

Thanks,

Aron


#3

Yes. Time for an update guys. Close off SSL3. Also time to update the cert and signature on the installed cert to SHA-256. The only browser that will loose access is old and not updated XP with original IE6, which hardly matters.

However, I’m surprised to also see TLS 1.2 is on. So it seems the opportunity to really update the TLS that the inbuilt https server provides.

You can get a look at your peplink https / TLS behavior with this

https://www.ssllabs.com/ssltest/index.html


#4

Quick update: Peplink is working on the security fix to be available in 6.2 GA. Thank you once again for your kind reminders.


#5

Thanks Keith, will the security patched 6.2 be available as a free upgrade for 6.1.2 users? Also, when are you targeting for a release date?


#6

Yes, the update will be free. 6.2 is in beta build 2 right now so it shouldn’t be too much longer.


#7

Our security advisory is posted: https://forum.peplink.com/threads/3817-Security-Advisory-SSLv3-POODLE-Vulnerability-(CVE-2014-3566)

Disabling SSLv3 in your web browsers is a good enough measure for the short term. We will release updated firmwares in Nov.