Heartbleed, Cisco Products and You.
By now most of you have heard of the Heartbleed software bug that was recently discovered in OpenSSL version 1.0.1 through 1.0.1f. If you have not, check out heartbleed.com, a site dedicated to information about the bug created by the group, codenomicon, that originally found the vulnerability. For those who do not want to run through pages of information about the bug and what makes it a vulnerability I’ll give you the basics.
OpenSSL’s implementation of TLS, the protocol suite that secures data transmission for many websites and applications, includes a heartbeat that is used as a keep-alive function. When working normally the heartbeat would only return a tiny amount of data back to the requester. However, back in late 2011 when the heartbeat code was last updated a bounds check was “forgotten” for the heartbeat which can allow an attacker to request up to 64kb of data from the target’s memory. The 64kb of data is from an arbitrary location in memory but there is no limit on how often you can request 64kb chunks of data from the target. Now what can an attacker glean from this data? Well a couple of important things like usernames/passwords but, more importantly the servers private key which can be used to decrypt any collected data coming and going to the server. This of course would require a man in the middle attack to intercept and store the data steam. Most major websites will patch the hole within the next few days or already have and request new certificates from their certificate provider which will negate any future data decryption. However, many governments bulk copy data flowing over the networks located in their country legally or outside their country (often illegally) and have been doing this for some time. This means that if said government were able to “recover” the old private key before a website patched OpenSSL and replaced their private certificate they could bulk decrypt all the data archives they had on hand.
So what does all this have to do with Cisco products? Well it just so happens that Cisco licenses OpenSSL for many of its products. Thankfully, most of their major product lines that are supposed to provide security like the Cisco ASA and to a lesser extent IOS devices were not affected by this bug. Additionally, most of the AnyConnect clients, which rely on SSL (TLS) were unaffected, with the exception of the Apple iOS version, which as of today has been fxied, hit up the app store to process the update. Interestingly, some of Cisco’s IP phones are affected, specifically models in the 7800, 8900 and 9900 line, which I believe are the newer units. My guess is that run the newer versions of OpenSSL where most things like the ASA (OpenSSL 0.9.8f) are still on versions of OpenSSL older than 1.0.1.
So far the list of Cisco products affected are as follows:
Cisco AnyConnect Secure Mobility Client for iOS
Cisco Desktop Collaboration Experience DX650
Cisco Unified 7800 series IP Phones
Cisco Unified 8961 IP Phone
Cisco Unified 9951 IP Phone
Cisco Unified 9971 IP Phone
Cisco TelePresence Video Communication Server (VCS)
Cisco IOS XE
Cisco Unified Communication Manager (UCM) 10.0
Cisco Universal Small Cell 5000 Series running V3.4.2.x software
Cisco Universal Small Cell 7000 Series running V3.4.2.x software
Small Cell factory recovery root filesystem V2.99.4 or later
Cisco MS200X Ethernet Access Switch
Cisco Mobility Service Engine (MSE)
Cisco TelePresence Conductor
Cisco WebEx Meetings Server versions 2.x
For a complete list of affected, non-affected and products still in testing hit up the link to Cisco’s Heartbleed page below:
Additionally, Cisco has already updated their Cisco IPS (SIDs 4187/0 and 4187/1) and Sourcefire IPS (SIDs 30510 through 30517) signatures to help mitigate the attack. Additional information can be found at the Cisco Security blog link below: