The Heartbleed Bug

heartbleed

The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.

http://www.heartbleed.com/

The HeartbleedBug and Cisco 

 

OpenSSL Heartbeat Extension Vulnerability in Multiple Cisco Products

Multiple Cisco products incorporate a version of the OpenSSL package affected by a vulnerability that could allow an unauthenticated, remote attacker to retrieve memory in chunks of 64 kilobytes from a connected client or server.

The vulnerability is due to a missing bounds check in the handling of the Transport Layer Security (TLS) heartbeat extension. An attacker could exploit this vulnerability by implementing a malicious TLS or Datagram Transport Layer Security (DTLS) client, if trying to exploit the vulnerability on an affected server, or a malicious TLS or DTLS server, if trying to exploit the vulnerability on an affected client. An exploit could send a specially crafted TLS or DTLS heartbeat packet to the connected client or server. An exploit could allow the attacker to disclose a limited portion of memory from a connected client or server for every heartbeat packet sent. The disclosed portions of memory could contain sensitive information that may include private keys and passwords.

Please note that the devices that are affected by this vulnerability are the devices acting as an SSL server terminating SSL connections or devices acting as an SSL Client initiating an SSL connection. Devices that are simply traversed by SSL traffic without terminating it are not affected.

This advisory will be updated as additional information becomes available. Cisco will release free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities may be available. This advisory is available at the following link:

http://www.cisco.com/web/about/security/intelligence/ERP-Heartbleed.html
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-heartbleed

 

The following Cisco products have been analyzed and are not affected by this vulnerability:

  • Cisco IP Video Phone E20
  • Cisco TelePresence MXP Series
  • Cisco TelePresence Advanced Media Gateway Series
  • Cisco TelePresence IP VCR Series
  • Cisco TelePresence MCU all series

 

The following Cisco products are currently under investigation:

  • Cisco TelePresence Movi with Precision HD USB / Jabber Video
  • Cisco TelePresence Recording Server
  • Tandberg 770/880/990 Series Tandberg
  • Codian ISDN GW 3210/3220/3240
  • Tandberg Codian MSE 8310 model

 

Vulnerable TelePresence Products to Heartbleed
  

Endpoints

 

Infrastructure

  • Cisco Unified Communications Manager (UCM) 10.0 [CSCuo17440]
  • Cisco TelePresence Video Communication Server (VCS) [CSCuo16472]
  • Cisco Expressway Series [CSCuo16472]
  • Cisco TelePresence Conductor [CSCuo20306]
  • Cisco TelePresence IP Gateway Series [CSCuo21597]
  • Cisco TelePresence ISDN GW 3241 [CSCuo21486]
  • Cisco TelePresence ISDN GW MSE 8321 [CSCuo21486]
  • Cisco TelePresence ISDN Link [CSCuo26686]
  • Cisco TelePresence Serial Gateway Series [CSCuo21535]
  • Cisco TelePresence Server 8710, 7010 [CSCuo21468]
  • Cisco TelePresence Server on Multiparty Media 310, 320 [CSCuo21468]
  • Cisco TelePresence Server on Virtual Machine [CSCuo21468]
  • Cisco TelePresence Supervisor MSE 8050 [CSCuo21584]

 

Placing a Cisco VCS Expressway in a DMZ rather than in the public internet

The benefits of placing a Cisco TelePresence Video Communication Server (Cisco VCS) Expressway in a DMZ rather than in the public internet

Operationally a Cisco VCS Expressway can be placed either in a DMZ or in the public internet and it will communicate with a Cisco VCS Control in the Private Network. However, putting the Cisco VCS Expressway in a DMZ has the following benefits:

  • Usually the Cisco VCS Expressway is managed from the Private Network or from a specified IP address or subnet only. By placing the Cisco VCS Expressway in a DMZ, the external firewall can be used to block unwanted IP traffic, including management access requests (for example, http, https, ssh).
  • If the DMZ is such that no direct IP connections are permitted between inside and outside networks, requiring dedicated servers to handle traffic that traverses the DMZ, the Cisco VCS can act as that server for SIP and H.323 video and voice traffic. In this case, you would use the Dual Network Interfaces option which allows the Cisco VCS to have two different IP addresses, one for traffic to and from the external firewall, and one for traffic to and from the internal firewall.

Note that:

  • If the Cisco VCS Expressway is in the DMZ, the outside IP address of the Cisco VCS Expressway must be a public IP address, or if static NAT mode is enabled, the static NAT address must be publicly accessible.
  • LAN 2 should be used as the public interface of the Cisco VCS Expressway (if the Cisco VCS Expressway is ever clustered, LAN 1 must be used for clustering, and the clustering interface must not be mapped through a NAT).
  • The Cisco VCS Expressway may also be used to traverse internal firewalls within an enterprise. In this case the “public” IP address may not be publicly accessible, but is an IP address accessible to other parts of the enterprise.

For more information, see the “Static NAT and Dual Network Interface architectures” section in Cisco TelePresence Video Communication Server Basic Configuration (Control with Expressway) Deployment Guide