Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

HeartBleed vulnerability on AnyConnect for iOS

Does anyone have additional information on this vulnerability? This security post: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-heartbleed

 

Tells us that "Cisco AnyConnect Secure Mobility Client for iOS" is an affected product, but doesn't tell us what versions are at risk.

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

This build with this fix has

This build with this fix has been posted to the iTunes store.

AnyConnect for Apple iOS 3.0.09353 is now available for download from the Apple App Store

Resolves CSCuo17488 – AnyConnect for iOS is vulnerable to CVE-2014-0160 – Heartbleed

 

Download: https://itunes.apple.com/us/app/cisco-anyconnect/id392790924

Release notes: http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect30/release/notes/rn-ac3-0-iOS.html

 

** Please note the two upgrade instructions pasted below which are applicable to all upgrades of AnyConnect software on Apple iOS

 

Disconnect AnyConnect connection before upgrading

Please make sure your AnyConnect VPN is disconnected when you upgrade. Otherwise, you may fail to connect after the upgrade with the following error: ”Could not connect to VPN server, Please verify internet connectivity and server address.” This issue can be fixed by a device reboot.

 

Apple iOS Connect On Demand Considerations

To ensure proper establishment of Connect On Demand VPN tunnels after updating AnyConnect, users must manually start the AnyConnect app and establish a connection. If this is not done, upon the next iOS system attempt to establish a VPN tunnel, the error message "The VPN Connection requires an application to start up" will display.

10 REPLIES
New Member

Just got a response from

Just got a response from Cisco TAC, only version 3.2(1130) is affected.

New Member

Can you tell us what version

Can you tell us what version 3.2(1130) is available on?  I am running Version: 3.0.09266 on an Iphone and looking at the ITunes APP store this is the latest version.  Is the IOS version affected by the bug only specific to certain IOS devices?

Cisco Employee

https://tools.cisco.com

https://tools.cisco.com/bugsearch/bug/CSCuo17488/?reffering_site=dumpcr

This bug is/will be fixed in 003.000(9353)

Hall of Fame Super Silver

Good find, Marcin - thanks!

Good find, Marcin - thanks!

Cisco Employee

This build with this fix has

This build with this fix has been posted to the iTunes store.

AnyConnect for Apple iOS 3.0.09353 is now available for download from the Apple App Store

Resolves CSCuo17488 – AnyConnect for iOS is vulnerable to CVE-2014-0160 – Heartbleed

 

Download: https://itunes.apple.com/us/app/cisco-anyconnect/id392790924

Release notes: http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect30/release/notes/rn-ac3-0-iOS.html

 

** Please note the two upgrade instructions pasted below which are applicable to all upgrades of AnyConnect software on Apple iOS

 

Disconnect AnyConnect connection before upgrading

Please make sure your AnyConnect VPN is disconnected when you upgrade. Otherwise, you may fail to connect after the upgrade with the following error: ”Could not connect to VPN server, Please verify internet connectivity and server address.” This issue can be fixed by a device reboot.

 

Apple iOS Connect On Demand Considerations

To ensure proper establishment of Connect On Demand VPN tunnels after updating AnyConnect, users must manually start the AnyConnect app and establish a connection. If this is not done, upon the next iOS system attempt to establish a VPN tunnel, the error message "The VPN Connection requires an application to start up" will display.

Hall of Fame Super Silver

That's odd - the latest

That's odd - the latest version of AnyConnect for iOS I'm aware of is 3.0.09266:

     https://itunes.apple.com/us/app/cisco-anyconnect/id392790924?mt=8

New Member

Also note that on the windows

Also note that on the windows platform the latest version i am aware of is 3.1.0x. are they saying that even the next release will have this vulnerability?

 

http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect31/release/notes/anyconnect31rn.html

Hall of Fame Super Silver

jbergen01 -Cisco AnyConnect

jbergen01 -

Cisco AnyConnect Secure Mobility Client for desktop platforms is confirmed NOT to have the vulnerability.

 

Please refer to the url in the OP.

New Member
New Member

I would also like to know

I would also like to know what iOS versions are affected.

4310
Views
15
Helpful
10
Replies
CreatePlease to create content