So as we dig deeper into the OpenSSL Heartbleed vulnerability, it has come to light that both Cisco and Juniper products have been compromised. The OpenSSL flaw will let the bad guys work around the security of the SSL protocol and possibly gain access to things like your user names, password, credit card data and banking information. This is not totally unexpected since Cisco and Juniper both use OpenSSL in their products. However the laborious process of checking each product may take a little bit of time for Cisco and Juniper to complete. One has to also wonder how far back will they go in their product and Operating System versions and what will their patch approach be. This is going to be interesting to watch as it unfolds.
What has also come to light is how long it has been out there. Reports are the vulnerability was put into play New Years eve 2011 at 11:59 pm. So it has been out there for quite a while and many may have been exploiting it. Some are even asking if the NSA experts have known about it and used it. But that is a post for another time.
Cisco HeartBleed OpenSSL Vulnerability
Something that I found quite interesting is that it seems like the Linksys routers division which Cisco recently sold to Belkin about a year ago is not affected. Apparently the version of OpenSSL that Cisco used while developing those product lines is unaffected. Thus I am sure many home users are breathing a sigh of relief.
Back to Cisco for now; Cisco has to date patched four vulnerabilities in their core operating systems and is now focusing on their product lines. It seems their ASA (Adaptive Security Appliances) have been hit via their ADSM software. A successful attack do a variety of not so nice things such as cripple the ASA device via a DoS (Denial of Service) attack, allow a hacker to bypass authentication and once in escalate their privileges on the device. If your main job is protecting the perimeter of your company’s infrastructure, you are going to be in for a few long and sleepless nights if you have not had some already this week.
More troubling as we alluded to above is the confirmation that an hacker can couple the SSL Virtual Private Network Privilege escalation vulnerability along with the Privilege Escalation vulnerability that exists in their GUI tool ADSM (Adaptive Security Device Manager) that is used to manage various ASA devices to gain admin privileges to the impacted device.
As the hits keep coming, a malicious hacker can also access your internal network that these devices are supposed to be protecting by exploiting the authentication process for a VPN connection.
Finally, it has been confirmed that if your Adaptive Security Appliance has the Session Initiation Protocol (SIP) inspection engine enable (which is the default on the Cisco devices), that the ASA could crash the device. It can be compromised by sending modified packets to the ASA which can crash it and subjecting it to reboot and ending up in a state in which a DoS condition is triggered.
4-13-2014 Update So the next thing you are probably wondering is what can you do to protect your infrastructure to identify attacks for devices which a patch has not been released for yet. You can consider a few different tools that Cisco has available to you to be a bit more proactive. The first is to use Cisco’s NGIPS which is their Next Generation Intrusion Prevention System. By leveraging the Sourcefire Snort SIDs between 30510 and 30517 you can take a proactive approach to identify any attacks using this vulnerability so you can act on them.
Similar in approach is to use a Cisco’s IPS (Intrusion Prevention System) to monitor attacks from the OpenSSL vulnerability and generate events actions to provide insight to these attacks using the signature IDs 4187/0 and 4187/1 that are specific for this nasty vulnerability. If you are wondering where you can find these signature updates; they are in the Signature Update Package S785 that is written specifically for Cisco IPS devices.
Keep in mind that the effectiveness of your Cisco IPS is predominantly based upon how you set it up and configure it in your infrastructure. The proper way to setup an IPS to provide maximum security in a situation like this is to configure the IPS in an inline mode. This way all traffic must pass through the device. Then you will want to ensure that as the IPS processes suspicious packets it will generate an alert that will cause the IPS to drop the traffic. If you do not configure the IPS inline like this, you will simply be notified that the attack is occurring and there is the potential for data to be stolen.
So I am sure you are wondering what Cisco and Juniper products have been impacted. Well, as of April 12th, here is the list we have of Cisco devices that have been identified but do not currently have a fix.
- Cisco AnyConnect Secure Mobility Client for iOS
- Cisco Desktop Collaboration Experience DX650
- Cisco Unified 7800 series IP Phones
- Cisco Unified 8961 IP Phone
- Cisco Unified 9951 IP Phone
- Cisco Unified 9971 IP Phone
- Cisco IOS XE
- Cisco Unified Communications Manager (UCM) 10.0
- Cisco Universal Small Cell 5000 Series running V3.4.2.x software
- Cisco Universal Small Cell 7000 Series running V3.4.2.x software
- Small Cell factory recovery root filesystem V2.99.4 or later
- Cisco MS200X Ethernet Access Switch
- Cisco Mobility Service Engine (MSE)
- Cisco TelePresence Video Communication Server (VCS)
- Cisco TelePresence Conductor
- Cisco TelePresence Supervisor MSE 8050
- Cisco TelePresence Server 8710, 7010
- Cisco TelePresence Server on Multiparty Media 310, 320
- Cisco TelePresence Server on Virtual Machine
- Cisco TelePresence ISDN Gateway 8321 and 3201 Series
- Cisco TelePresence Serial Gateway Series
- Cisco TelePresence IP Gateway Series
- Cisco WebEx Meetings Server versions 2.x
- Cisco Security Manager
None of the Cisco hosted services are currently known to be affected and the following hosted services were previously identified as affected, but have been subsequently patched and are now without the OpenSSL flaw.
- Cisco Registered Envelope Service (CRES)
- Cisco Webex Messenger Service
- Cisco USC Invicta Series Autosupport Portal
Now for the products that have been confirmed as not affected by the OpenSSL vulnerability.
- Cisco IOS
- Cisco MDS Switches
- Cisco Nexus 3000 Series Switches
- Cisco Nexus 7000 Series Switches
- Cisco Adaptive Security Appliance (ASA) Software
- Cisco ACE Application Control Engine Module
- Cisco ACE Application Control Engine Appliance
- Cisco AnyConnect Secure Mobility Client for desktop platforms
- Cisco AnyConnect Secure Mobility Client for Android
- Cisco CSS 11500 Series Content Services Switches
- Cisco Unified 7900 series IP Phones
- Cisco Unified 6900 series IP Phones
- Cisco Unified 3900 series IP Phones
- Cisco Unified 8941 IP Phone
- Cisco Unified 8945 IP Phone
- Cisco Unified IP Conference Phone 8831
- Cisco Unified Communications Manager (UCM) 9.1(2) and earlier
- Cisco Unified Communications Domain Manager
- Cisco Unified Business Attendant Console
- Cisco Unified Department Attendant Console
- Cisco Unified Enterprise Attendant Console
- Cisco Identity Service Engine (ISE)
- Cisco Secure Access Control Server (ACS)
- Cisco Wireless Lan Controller (WLC)
- Cisco Wireless Control System (WCS)
- Cisco Web Security Appliance (WSA)
- Cisco Content Security Management Appliance (SMA)
- Cisco Email Security Appliance (ESA)
- Cisco IronPort Encryption Appliance (IEA)
- Cisco UCS Central
- Cisco UCS Fabric Interconnects
- Cisco UCS B-Series (Blade) Servers
- Cisco UCS C-Series (Stand alone Rack) Servers
- Cisco RV315W Wireless-N VPN Router
- Cisco RV215W Wireless-N VPN Router
- Cisco RV220W Wireless-N VPN Router
- Cisco RV180W Wireless-N VPN Router
- Cisco RV120W Wireless-N VPN Router
- Cisco RV110W Wireless-N VPN Router
- Cisco CVR100W Wireless-N VPN Router
- Cisco RV325 VPN Router
- Cisco RV320 VPN Router
- Cisco RV180 VPN Router
- Cisco RV082 VPN Router
- Cisco RV042 VPN Router
- Cisco RV016 VPN Router
- Cisco 200 Series Smart Switches
- Cisco 300 Series Managed Switches
- Cisco 500 Series Stackable Managed Switches
- Cisco ESW2 Series Advanced Switches
- Cisco WAP121 Wireless-N Access Point
- Cisco WAP321 Wireless Access Point
- Cisco WAP551/561 Wireless-N Access Point
- Cisco WAP4410N Wireless-N Access Point
- Cisco Meraki Cloud Managed Indoor Access Points
- Cisco Meraki Cloud-Managed Outdoor Access Points
- Cisco Meraki MX Security Appliances
- Cisco Meraki MS Access Switches
- Cisco WebEx Meetings Server versions 1.x
- Cisco Application and Content Networking System (ACNS) Software
- Cisco Wide Area Application Services (WAAS) Software
- Cisco ACE Global Site Selector Appliances (GSS)
- Cisco Prime Network Analysis Module (NAM)
- Cisco Prime Infrastructure
- Cisco Content Switching Module with SSL (CSM-S)
- Cisco SSL Services Module (SSLM)
- Cisco Intelligent Automation for Cloud
Hopefully this article helps you identify where you may see some issues in your environment or it puts your mind at ease. To see the latest information from Cisco and Juniper on their products and vulnerabilities, please see these links.
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-heartbleed
http://kb.juniper.net/InfoCenter/index?page=content&id=KB29004&actp=RSS