Header Only - DO NOT REMOVE - Extreme Networks

NetSight Poodle Attack TLS cipher suites


Userlevel 2
Hi,

our internal audit-team found a few protocol warnings inside the communication between our NetSight server and a few NAC-enabled switches (The firewall generated alarms).
I think that these warnings are generated, when the identity-management sends out information to the NetSight via the xmlc-configuration.
The threat-id says, that NetSight is using TLS1.0 with CBC which is vulnerable to the Poodle attack.

Now the question: Is there a way to influence, which cipher-suites for TLS-connections are accepted, as well in the EXOS as on the NetSight server?
Are there maybe patches? - EXOS is 16.1.3.6-patch6 on the most devices.

Best Regards
Chacko

2 replies

Great find by your security team! I would love to know the answer to this and/or would like to see this patched!
Userlevel 7
Hi Chacko,
Here's our Vulnerability Notice on the POODLE attack: https://extremeportal.force.com/ExtrArticleDetail?n=000008192
I'm seeing some conflicting information, but I believe this has been fixed and that there are options in some of the latest EXOS releases that will allow you to edit which ciphers are used. I'll send some emails internally to get more information

-Drew

Reply