Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

AnyConnect Client for iOS and Heartbleed

Is it affected by Heartbleed yes or no?

 

Here:

 

http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect30/license/open_source/Open_Source_Software_Used_In_Cisco_AnyConnect_Secure_Mobility_Client-_Release_3-0_for_Mobile.html

 

It states that the Anyconnect client for IOS is using OpenSSL 0.9.8r which should not be vulnerable since the bug was introduce in 1.0.0.

However, here:

 

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-heartbleed#@ID

 

It states it is vulnerable.

So which is it? Any input?

 

1 REPLY
Cisco Employee

It is my understanding that,

It is my understanding that, despite that page, Android and iOS use different versions of OpenSSL for AnyConnect. The former likely uses 0.9.8r as noted in that document while the latter uses 1.0.x, explaining why one is vulnerable (iOS) and one is not (Android).

The heartbleed issue is now resolved in version  3.0.09353 of the client, available from the app store:

https://itunes.apple.com/us/app/cisco-anyconnect/id392790924?mt=8

"What's New in Version 3.0.09353

Resolves CSCuo17488 – AnyConnect for iOS is vulnerable to CVE-2014-0160 – Heartbleed"

486
Views
0
Helpful
1
Replies