The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).
The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.
http://www.heartbleed.com/
The HeartbleedBug and Cisco
OpenSSL Heartbeat Extension Vulnerability in Multiple Cisco Products
Multiple Cisco products incorporate a version of the OpenSSL package affected by a vulnerability that could allow an unauthenticated, remote attacker to retrieve memory in chunks of 64 kilobytes from a connected client or server.
The vulnerability is due to a missing bounds check in the handling of the Transport Layer Security (TLS) heartbeat extension. An attacker could exploit this vulnerability by implementing a malicious TLS or Datagram Transport Layer Security (DTLS) client, if trying to exploit the vulnerability on an affected server, or a malicious TLS or DTLS server, if trying to exploit the vulnerability on an affected client. An exploit could send a specially crafted TLS or DTLS heartbeat packet to the connected client or server. An exploit could allow the attacker to disclose a limited portion of memory from a connected client or server for every heartbeat packet sent. The disclosed portions of memory could contain sensitive information that may include private keys and passwords.
Please note that the devices that are affected by this vulnerability are the devices acting as an SSL server terminating SSL connections or devices acting as an SSL Client initiating an SSL connection. Devices that are simply traversed by SSL traffic without terminating it are not affected.
This advisory will be updated as additional information becomes available. Cisco will release free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities may be available. This advisory is available at the following link:
http://www.cisco.com/web/about/security/intelligence/ERP-Heartbleed.html
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-heartbleed
The following Cisco products have been analyzed and are not affected by this vulnerability:
- Cisco IP Video Phone E20
- Cisco TelePresence MXP Series
- Cisco TelePresence Advanced Media Gateway Series
- Cisco TelePresence IP VCR Series
- Cisco TelePresence MCU all series
The following Cisco products are currently under investigation:
- Cisco TelePresence Movi with Precision HD USB / Jabber Video
- Cisco TelePresence Recording Server
- Tandberg 770/880/990 Series Tandberg
- Codian ISDN GW 3210/3220/3240
- Tandberg Codian MSE 8310 model
Vulnerable TelePresence Products to Heartbleed
Endpoints
Infrastructure
- Cisco Unified Communications Manager (UCM) 10.0 [CSCuo17440]
- Cisco TelePresence Video Communication Server (VCS) [CSCuo16472]
- Cisco Expressway Series [CSCuo16472]
- Cisco TelePresence Conductor [CSCuo20306]
- Cisco TelePresence IP Gateway Series [CSCuo21597]
- Cisco TelePresence ISDN GW 3241 [CSCuo21486]
- Cisco TelePresence ISDN GW MSE 8321 [CSCuo21486]
- Cisco TelePresence ISDN Link [CSCuo26686]
- Cisco TelePresence Serial Gateway Series [CSCuo21535]
- Cisco TelePresence Server 8710, 7010 [CSCuo21468]
- Cisco TelePresence Server on Multiparty Media 310, 320 [CSCuo21468]
- Cisco TelePresence Server on Virtual Machine [CSCuo21468]
- Cisco TelePresence Supervisor MSE 8050 [CSCuo21584]