The Heartbleed Bug

heartbleed

The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.

http://www.heartbleed.com/

The HeartbleedBug and Cisco 

 

OpenSSL Heartbeat Extension Vulnerability in Multiple Cisco Products

Multiple Cisco products incorporate a version of the OpenSSL package affected by a vulnerability that could allow an unauthenticated, remote attacker to retrieve memory in chunks of 64 kilobytes from a connected client or server.

The vulnerability is due to a missing bounds check in the handling of the Transport Layer Security (TLS) heartbeat extension. An attacker could exploit this vulnerability by implementing a malicious TLS or Datagram Transport Layer Security (DTLS) client, if trying to exploit the vulnerability on an affected server, or a malicious TLS or DTLS server, if trying to exploit the vulnerability on an affected client. An exploit could send a specially crafted TLS or DTLS heartbeat packet to the connected client or server. An exploit could allow the attacker to disclose a limited portion of memory from a connected client or server for every heartbeat packet sent. The disclosed portions of memory could contain sensitive information that may include private keys and passwords.

Please note that the devices that are affected by this vulnerability are the devices acting as an SSL server terminating SSL connections or devices acting as an SSL Client initiating an SSL connection. Devices that are simply traversed by SSL traffic without terminating it are not affected.

This advisory will be updated as additional information becomes available. Cisco will release free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities may be available. This advisory is available at the following link:

http://www.cisco.com/web/about/security/intelligence/ERP-Heartbleed.html
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-heartbleed

 

The following Cisco products have been analyzed and are not affected by this vulnerability:

  • Cisco IP Video Phone E20
  • Cisco TelePresence MXP Series
  • Cisco TelePresence Advanced Media Gateway Series
  • Cisco TelePresence IP VCR Series
  • Cisco TelePresence MCU all series

 

The following Cisco products are currently under investigation:

  • Cisco TelePresence Movi with Precision HD USB / Jabber Video
  • Cisco TelePresence Recording Server
  • Tandberg 770/880/990 Series Tandberg
  • Codian ISDN GW 3210/3220/3240
  • Tandberg Codian MSE 8310 model

 

Vulnerable TelePresence Products to Heartbleed
  

Endpoints

 

Infrastructure

  • Cisco Unified Communications Manager (UCM) 10.0 [CSCuo17440]
  • Cisco TelePresence Video Communication Server (VCS) [CSCuo16472]
  • Cisco Expressway Series [CSCuo16472]
  • Cisco TelePresence Conductor [CSCuo20306]
  • Cisco TelePresence IP Gateway Series [CSCuo21597]
  • Cisco TelePresence ISDN GW 3241 [CSCuo21486]
  • Cisco TelePresence ISDN GW MSE 8321 [CSCuo21486]
  • Cisco TelePresence ISDN Link [CSCuo26686]
  • Cisco TelePresence Serial Gateway Series [CSCuo21535]
  • Cisco TelePresence Server 8710, 7010 [CSCuo21468]
  • Cisco TelePresence Server on Multiparty Media 310, 320 [CSCuo21468]
  • Cisco TelePresence Server on Virtual Machine [CSCuo21468]
  • Cisco TelePresence Supervisor MSE 8050 [CSCuo21584]

 

TelePresence Server Conferencing Capacity on Various Platforms

Call Type DescriptionScreen Licenses Required Per CallMaximum Calls by Hardware Type (with Licenses to Provide 100% of Capacity)
Main VideoAudioContent8 core Virtual Machine10 core Virtual MachineMedia 310 or MCU 5310Media 320 or MCU
5320
7010MSE 8710 or MCU
MSE 8510
Biggest Appliance Cluster (Two Appliances)Biggest Blade Cluster (Four Blades)
4 Screen Licenses6 Screen Licenses5 Screen Licenses10 Screen Licenses12 Screen Licenses12 Screen Licenses20 Screen Licenses48 Screen Licenses
Mono1/52104*104*104*104*104*104*104*104*
360p30MonoIn main video324841819797104*104*
480p30MonoIn main video¼16242040484880104*
480p30Stereo720p512181530363660104*
720p30Stereo720p5½812102024244096
720p30Stereo720p3014651012122048
1080p30Stereo720p1514651012122048
720p60Stereo720p1514651012122048
1080p30Stereo720p301 ½2436881232
Three-screen720p30Multichannel720p52436881332
Three-screen720p30Multichannel720p3022325661024
1080p30Stereo1080p302232466824
Dual-screen1080p30Stereo720p302232466824
Three-screen1080pMultichannel720p303121244416
Three-screen1080pMultichannel1080p304111233412
Four-screen1080pStereo1080p304111233412

 

* 104 is the maximum number of calls that is possible on a TelePresence Server.

 The TelePresence Server needs the Third Party Interop feature key to host conferences with multi-screen endpoints that are not third party interoperable. This includes all multi-screen endpoints except the Cisco TelePresence System T3 and TIP-compatible endpoints.

 Requires TelePresence Conductor.

Note: The table above assumes that calls of one type are being used to reach these maximum values. To calculate the total number of licenses required for a variety of concurrent calls, sum the screen licenses required for each concurrent call.