cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3648
Views
80
Helpful
58
Replies

Critical OpenSSL bug in VCS (and others) CVE-2014-0160

Martin Koch
VIP Alumni
VIP Alumni

Hello there is a critical bug in openssl:

https://www.openssl.org/news/secadv_20140407.txt

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160

 

 

which also affects Cisco products, incl at least the VCS:

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-heartbleed

 

I further used a test tool and also got positive hits of that error on the conductor as well as on the web interface of TC7.1

(though a second test tool was not sure about the TC).

 

 

What I recommend:

 

* inform your local IT / security team

* check which components in your network use affected versions of openssl, there are also tools which you can use to connect to your

devices to see if they are affected. *1)

* regenerate the key and the cert so possibly old sniffed communication could not be decoded (if the attacker does not have the old key now anyhow)

* upgrade the affected components as fast as possible. You might need to contact your vendor to get an upgrade for your product

* regenerate keys and reissue certificates

* revoke old certificates

* change passwords

 

 

I also noticed that there are many VCS out which use the standard TANDBERG certificate.  Thats bad anyhow.

Please generate your own certs and best, get them signed by a proper CA.

This document will help you about that:

http://www.cisco.com/en/US/docs/telepresence/infrastructure/vcs/config_guide/X8-1/Cisco-VCS-Certificate-Creation-and-Use-Deployment-Guide-X8-1.pdf

 

 

*1)

Perl: https://github.com/noxxi/p5-scripts/blob/master/check-ssl-heartbleed.pl

Metasploit: https://github.com/rapid7/metasploit-framework/pull/3206

NMAP: http://nmap.org/nsedoc/scripts/ssl-heartbleed.html

OpenVaS: https://gist.github.com/RealRancor/10140249

Nessus: http://www.tenable.com/plugins/index.php?view=single&id=73412

xkcd: http://xkcd.com/1353/

 

 

As this is a critical security issue, just a short disclaimer, this is an unofficial warning, please contact

your local IT / security advisors. The information here is collected from Internet postings and is best effort.

All information, links and procedures are handled on your own risk. ;-)

The official Cisco site for this is the PSIRT (Product Security Incident Response Team) http://www.cisco.com/go/psirt

Please remember to rate helpful responses and identify

58 Replies 58

Thanks Steve !!

thanks, just need to understand a bit more about worst case here please.

obviously will depend to a large degree on how deployed but in general terms how concerned should I be that an attacker could 

- gain control of a vcs expressway in dmz and alter CPL script for ISDN GW toll call access

- gain access to info on vcs control inside network via traversal zone (on same lan port via separate fw ports) where all endpoint/ infra registrations, addressing and AD sync occurs

x7.2 on both. 8.1.1 may not be possible for a while

Many thanks

Martin Koch
VIP Alumni
VIP Alumni

The Cisco advisory got updated (please check that list and the PSIRT site for the latest info:

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-heartbleed

 

What is listed as vulnerable:

  • Cisco AnyConnect Secure Mobility Client for iOS
  • Cisco Desktop Collaboration Experience DX650
  • Cisco Unified 7800 series IP Phones
  • Cisco Unified 8961 IP Phone
  • Cisco Unified 9951 IP Phone
  • Cisco Unified 9971 IP Phone
  • Cisco TelePresence Video Communication Server (VCS)
  • Cisco IOS XE
  • Cisco UCS B-Series (Blade) Servers
  • Cisco UCS C-Series (Stand alone Rack) Servers
  • Cisco Unified Communication Manager (UCM) 10.0

 

TelePresence devices listed "under investigation"

  • Cisco TelePresence MX Series
  • Cisco TelePresence Profile Series
  • Cisco TelePresence System 1100
  • Cisco TelePresence Recording Server

 

 

What I noticed, whats not listed (they showed positive results using the perl test tool, I reported that to Cisco):

* TelePresence Conductor

* ISDN GW

* TelePresence Server (8710)

 

Inconclusive results I (two test tools reported differently) I got on an endpoint running TC7.1

 

Please remember to rate helpful responses and identify

Cisco - What's the status of the additional TelePresence products Martin has mentioned above? Our university IT has detected the same thing at least on C-Series codecs. I'd assume the Conductor is exactly in the same situation as the VCS since they run the same OS etc. 

I encourage you to contact Cisco PSIRT and push them hard on the topic for your answers.

 

You have to understand there are policies that we employees must follow when it comes to disclosures, etc.  Cisco PSIRT is your avenue.. and if they can't answer... you're the customer push them harder :)

Hi Patrick

 

I had contacted PSIRT and they will put them under "investigation" as well.

 

I asked fo:

•         Cisco TelePresence ISDN GW 3241
•         TelePresence Server
•         EX / C / SX / MXG2 endpoints, short all what runs TC
•         Tandberg E20 (there is no SW end date mentioned in the EOL, so not sure)
•         Tandberg MXP (does not seem to be affected if I see it right)

*          other telepresence products

 

Please remember to rate helpful responses and identify

Just checked the advisory again, all TelePresence servers are affected, Supervisor MSE 8050, Conductor and other TelePresence devices have been added to the affected list.  Waiting on new software now, and for Cisco to finish the rest of the other TelePresence products that are pending testing.

Thanks Martin and Patrick for this. Interested to know with the MXP are affected as I would have through the still used OpenSSL (but maybe not)?

I was away last week but am just about to contact out partner to ensure we have the correct info.

Cheers

 

Chris

The advisory is now saying that the MXPs are not affected (they're based on a eCos Operating System rather than a Linux one).

I've also sent a request clarification on both TMS and the TelePresence Content Server.  Both these (TMS and TCS) run on Windows, which isn't vulnerable, but requesting confirmation on the apps themselves as they're not mentioned in the Security Advisory as either affected or not.  I'm expecting that they're not affected, but for consitence and completeness, would like them to be mentioned as so in the advisory.

Wayne
--
Please remember to rate responses and to mark your question as answered if appropriate.

Wayne
--
Please remember to mark helpful responses and to set your question as answered if appropriate.

Endpoints running TC software have been confirmed vulnerable as we expected.

this is fixed in TC 7.1.1 version. this is also mentioned in release notes.

 

Regards,

 

Amit

Hi Amit,

 

How comes the Bug ID page says "Known Affected Releases" are 5.0.0 only?

https://tools.cisco.com/bugsearch/bug/CSCuo26378

 

Regards

Pinkesh

 

Hi Pinkesh,

 

not sure about it but from TC 5 version, Cisco OpenSSL version was from 1.0.1 which also fall under vulnerable Open SSL version.

Hello Amit -

Any idea when TC7.1.1 will be released to address this issue?

As well as Conductor, and other TelePresence products confirmed vulnerable?

"Any idea when TC7.1.1 will be released to address this issue?"

It's already on the web (posted today).

They released fixed versions for TC7.1.1 and TC6.3.1

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: