Solved: Cisco Security Manager is vulnerable to CVE-2014-0160 - aka Heartbleed

ahmed.gadi · ‎04-14-2014

Dear All,

We have CSM 4.4.0 SP2 patch 1 installed with no default configuration.

According to cisco, CSM is under Vulnerable Products list with cisco bug ID CSCuo19265.

Do I need to take any action for my CSM ?

Thanks & Regards

Ahmed...

patoberli · ‎04-15-2014

I recommend that you restrict HTTPS access to the CSM server to the few clients that actually need access to it, until a fix has been released. That way you can at least restrict the amount of clients that could utilize this leak.

View solution in original post

kshiva · ‎04-15-2014

Hi Ahmed,

CSM 4.4.0 SP2 patch 1 is not vulnerable to heartbleed. No action required for this specific version of CSM.

Given below is list of CSM versions that are vulnerable:

CSM 4.5
CSM 4.5 SP0 PP1
CSM 4.5 SP0 PP2

View solution in original post

patoberli · ‎04-15-2014

I recommend that you restrict HTTPS access to the CSM server to the few clients that actually need access to it, until a fix has been released. That way you can at least restrict the amount of clients that could utilize this leak.

kshiva · ‎04-15-2014

Hi Ahmed,

CSM 4.4.0 SP2 patch 1 is not vulnerable to heartbleed. No action required for this specific version of CSM.

Given below is list of CSM versions that are vulnerable:

CSM 4.5
CSM 4.5 SP0 PP1
CSM 4.5 SP0 PP2

ahmed.gadi · ‎04-16-2014

Many thanks

Network Operation · ‎04-15-2014

I am running 4.5.0, it is vulnerable because I have scanned it and tested it. I see version 4.6.0 has just popped up on cisco.com. Anyone confirm if that fixes the bug?

kshiva · ‎04-15-2014

CSM 4.6 has the fix and not vulnerable.

ryancisco01 · ‎04-15-2014

Im not sure if that's true. the release notes don't state anything about fixing that big. and also looking at the opensource licenses PDF for 4.6.0 it states OpenSSL version: 1.0.1e (which is the same version as 4.5.0 and all versions 1a through 1f are vulnerable).

I would find it very odd they didn't fix it considering it was released just yesterday.

kshiva · ‎04-15-2014

Will follow up and update the documentation with correct OpenSSL Version 1.0.1g. Heartbleed vulnerability is addressed in CSM 4.6

ryancisco01 · ‎04-15-2014

Great thanks for confirmation.

Tan Stanley · ‎04-16-2014

When will the patch to resolve heartbleed issue in csm 4.5 be out??

dbrockus · ‎04-20-2014

CSM 4.5 CP3 is out and it fixes the heartbleed vulnerability.

Request CSM450_SP0_CP3_bundle.zip from TAC