Critical OpenSSL bug in VCS (and others) CVE-2014-0160 - Page 2

Martin Koch · ‎04-09-2014

Hello there is a critical bug in openssl:

https://www.openssl.org/news/secadv_20140407.txt

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160

which also affects Cisco products, incl at least the VCS:

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-heartbleed

I further used a test tool and also got positive hits of that error on the conductor as well as on the web interface of TC7.1

(though a second test tool was not sure about the TC).

What I recommend:

* inform your local IT / security team

* check which components in your network use affected versions of openssl, there are also tools which you can use to connect to your

devices to see if they are affected. *1)

* regenerate the key and the cert so possibly old sniffed communication could not be decoded (if the attacker does not have the old key now anyhow)

* upgrade the affected components as fast as possible. You might need to contact your vendor to get an upgrade for your product

* regenerate keys and reissue certificates

* revoke old certificates

* change passwords

I also noticed that there are many VCS out which use the standard TANDBERG certificate. Thats bad anyhow.

Please generate your own certs and best, get them signed by a proper CA.

This document will help you about that:

http://www.cisco.com/en/US/docs/telepresence/infrastructure/vcs/config_guide/X8-1/Cisco-VCS-Certificate-Creation-and-Use-Deployment-Guide-X8-1.pdf

*1)

Perl: https://github.com/noxxi/p5-scripts/blob/master/check-ssl-heartbleed.pl

Metasploit: https://github.com/rapid7/metasploit-framework/pull/3206

NMAP: http://nmap.org/nsedoc/scripts/ssl-heartbleed.html

OpenVaS: https://gist.github.com/RealRancor/10140249

Nessus: http://www.tenable.com/plugins/index.php?view=single&id=73412

xkcd: http://xkcd.com/1353/

As this is a critical security issue, just a short disclaimer, this is an unofficial warning, please contact

your local IT / security advisors. The information here is collected from Internet postings and is best effort.

All information, links and procedures are handled on your own risk. ;-)

The official Cisco site for this is the PSIRT (Product Security Incident Response Team) http://www.cisco.com/go/psirt

Please remember to rate helpful responses and identify

krolinski · ‎04-10-2014

Thanks Steve !!

philhallchurch · ‎04-12-2014

thanks, just need to understand a bit more about worst case here please.

obviously will depend to a large degree on how deployed but in general terms how concerned should I be that an attacker could

- gain control of a vcs expressway in dmz and alter CPL script for ISDN GW toll call access

- gain access to info on vcs control inside network via traversal zone (on same lan port via separate fw ports) where all endpoint/ infra registrations, addressing and AD sync occurs

x7.2 on both. 8.1.1 may not be possible for a while

Many thanks

Martin Koch · ‎04-10-2014

The Cisco advisory got updated (please check that list and the PSIRT site for the latest info:

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-heartbleed

What is listed as vulnerable:

Cisco AnyConnect Secure Mobility Client for iOS
Cisco Desktop Collaboration Experience DX650
Cisco Unified 7800 series IP Phones
Cisco Unified 8961 IP Phone
Cisco Unified 9951 IP Phone
Cisco Unified 9971 IP Phone
Cisco TelePresence Video Communication Server (VCS)
Cisco IOS XE
Cisco UCS B-Series (Blade) Servers
Cisco UCS C-Series (Stand alone Rack) Servers
Cisco Unified Communication Manager (UCM) 10.0

TelePresence devices listed "under investigation"

Cisco TelePresence MX Series
Cisco TelePresence Profile Series
Cisco TelePresence System 1100
Cisco TelePresence Recording Server

What I noticed, whats not listed (they showed positive results using the perl test tool, I reported that to Cisco):

* TelePresence Conductor

* ISDN GW

* TelePresence Server (8710)

Inconclusive results I (two test tools reported differently) I got on an endpoint running TC7.1

Please remember to rate helpful responses and identify

Patrick Sparkman · ‎04-10-2014

Cisco - What's the status of the additional TelePresence products Martin has mentioned above? Our university IT has detected the same thing at least on C-Series codecs. I'd assume the Conductor is exactly in the same situation as the VCS since they run the same OS etc.

Steve Kapinos · ‎04-10-2014

I encourage you to contact Cisco PSIRT and push them hard on the topic for your answers.

You have to understand there are policies that we employees must follow when it comes to disclosures, etc. Cisco PSIRT is your avenue.. and if they can't answer... you're the customer push them harder :)

Martin Koch · ‎04-10-2014

Hi Patrick

I had contacted PSIRT and they will put them under "investigation" as well.

I asked fo:

•         Cisco TelePresence ISDN GW 3241
•         TelePresence Server
•         EX / C / SX / MXG2 endpoints, short all what runs TC
•         Tandberg E20 (there is no SW end date mentioned in the EOL, so not sure)
•         Tandberg MXP (does not seem to be affected if I see it right)

* other telepresence products

Please remember to rate helpful responses and identify

Patrick Sparkman · ‎04-12-2014

Just checked the advisory again, all TelePresence servers are affected, Supervisor MSE 8050, Conductor and other TelePresence devices have been added to the affected list. Waiting on new software now, and for Cisco to finish the rest of the other TelePresence products that are pending testing.

Chris Swinney · ‎04-14-2014

Thanks Martin and Patrick for this. Interested to know with the MXP are affected as I would have through the still used OpenSSL (but maybe not)?

I was away last week but am just about to contact out partner to ensure we have the correct info.

Cheers

Chris

Wayne DeNardi · ‎04-14-2014

The advisory is now saying that the MXPs are not affected (they're based on a eCos Operating System rather than a Linux one).

I've also sent a request clarification on both TMS and the TelePresence Content Server. Both these (TMS and TCS) run on Windows, which isn't vulnerable, but requesting confirmation on the apps themselves as they're not mentioned in the Security Advisory as either affected or not. I'm expecting that they're not affected, but for consitence and completeness, would like them to be mentioned as so in the advisory.

Wayne
--
Please remember to rate responses and to mark your question as answered if appropriate.

Wayne

Please remember to mark helpful responses and to set your question as answered if appropriate.

Patrick Sparkman · ‎04-15-2014

Endpoints running TC software have been confirmed vulnerable as we expected.

amehla · ‎04-15-2014

this is fixed in TC 7.1.1 version. this is also mentioned in release notes.

Regards,

Amit

Pinkesh Patel · ‎04-15-2014

Hi Amit,

How comes the Bug ID page says "Known Affected Releases" are 5.0.0 only?

https://tools.cisco.com/bugsearch/bug/CSCuo26378

Regards

Pinkesh

amehla · ‎04-15-2014

Hi Pinkesh,

not sure about it but from TC 5 version, Cisco OpenSSL version was from 1.0.1 which also fall under vulnerable Open SSL version.

Patrick Sparkman · ‎04-15-2014

Hello Amit -

Any idea when TC7.1.1 will be released to address this issue?

As well as Conductor, and other TelePresence products confirmed vulnerable?

Steve Kapinos · ‎04-15-2014

"Any idea when TC7.1.1 will be released to address this issue?"

It's already on the web (posted today).

They released fixed versions for TC7.1.1 and TC6.3.1