Critical OpenSSL bug in VCS (and others) CVE-2014-0160 - Page 4

Martin Koch · ‎04-09-2014

Hello there is a critical bug in openssl:

https://www.openssl.org/news/secadv_20140407.txt

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160

which also affects Cisco products, incl at least the VCS:

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-heartbleed

I further used a test tool and also got positive hits of that error on the conductor as well as on the web interface of TC7.1

(though a second test tool was not sure about the TC).

What I recommend:

* inform your local IT / security team

* check which components in your network use affected versions of openssl, there are also tools which you can use to connect to your

devices to see if they are affected. *1)

* regenerate the key and the cert so possibly old sniffed communication could not be decoded (if the attacker does not have the old key now anyhow)

* upgrade the affected components as fast as possible. You might need to contact your vendor to get an upgrade for your product

* regenerate keys and reissue certificates

* revoke old certificates

* change passwords

I also noticed that there are many VCS out which use the standard TANDBERG certificate. Thats bad anyhow.

Please generate your own certs and best, get them signed by a proper CA.

This document will help you about that:

http://www.cisco.com/en/US/docs/telepresence/infrastructure/vcs/config_guide/X8-1/Cisco-VCS-Certificate-Creation-and-Use-Deployment-Guide-X8-1.pdf

*1)

Perl: https://github.com/noxxi/p5-scripts/blob/master/check-ssl-heartbleed.pl

Metasploit: https://github.com/rapid7/metasploit-framework/pull/3206

NMAP: http://nmap.org/nsedoc/scripts/ssl-heartbleed.html

OpenVaS: https://gist.github.com/RealRancor/10140249

Nessus: http://www.tenable.com/plugins/index.php?view=single&id=73412

xkcd: http://xkcd.com/1353/

As this is a critical security issue, just a short disclaimer, this is an unofficial warning, please contact

your local IT / security advisors. The information here is collected from Internet postings and is best effort.

All information, links and procedures are handled on your own risk. ;-)

The official Cisco site for this is the PSIRT (Product Security Incident Response Team) http://www.cisco.com/go/psirt

Please remember to rate helpful responses and identify

Martin Koch · ‎04-15-2014

Yes, it is, again, the release notes do not list heatbleed it under resolved caveats, but its under

document history and third-party software (search for 0160)

But whats not listed at all is if these security related bugs are addresses or not:

Cisco TelePresence Video Communication Server SIP Denial of Service Vulnerability

CSCue97632 / http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140122-vcs

Cisco TelePresence Video Communication Server Vulnerability in Policy Services

CSCub67989 / http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2012-5444

Please remember to rate helpful responses and identify

Steve Kapinos · ‎04-15-2014

"But whats not listed at all is if these security related bugs are addresses or not:"

They are not - the solution for both of those was to upgrade your VCS to X8.0 - They apparently didn't make the cut from PSIRT to force a new release on the old software train... where as for heartbleed due to the type of risks, they did go back and make just those changes.

Not everything is backported - always a balancing act.

Martin Koch · ‎04-15-2014

"not everything" is fine, security bugs should, as well as the release notes should be proper, ...

Please remember to rate helpful responses and identify

Wayne DeNardi · ‎04-15-2014

I agree - but I can cope with X7.2.3 to fix Heartbleed, then they can give me a X7.2.4 with the others and I'll be happy.

Wayne
--
Please remember to rate responses and to mark your question as answered if appropriate.

Wayne

Please remember to mark helpful responses and to set your question as answered if appropriate.

Martin Koch · ‎04-15-2014

So you really believe that there will be a 7.2.4?

Please remember to rate helpful responses and identify

Wayne DeNardi · ‎04-15-2014

I won't hold my breath waiting for it

In the meanwhile, I'll continue the messy planning for the X8 upgrades...

Wayne

Please remember to mark helpful responses and to set your question as answered if appropriate.

Chris Swinney · ‎04-16-2014

Hey Wayne, Martin (and all)

I received an advisory this morning that said that 7.2.3 did in fact resolve the OpenSSL issue:

For Bug CSCuo16472

Workaround:
Not currently available.

Customers running version X8.1 are recommended to upgrade to version X8.1.1 or later.

Customers running versions X7.2, X7.2.1, X7.2.2 or X7.2.3 RC2 are recommended to upgrade to version X7.2.3 or later

Version X8.1.1 and X7.2.3 (and subsequent releases on those releases) include the fix for this vulnerability.

So, may be, just may be....

Cheers

Chris

Steve Kapinos · ‎04-16-2014

"I received an advisory this morning that said that 7.2.3 did in fact resolve the OpenSSL issue:"

Chris, Martin's issue was not if heartbleed was fixed in 7.2.3 (this was known) - but rather that OTHER previously fixed security issues (included in X8) were not back ported to 7.2.3 as well as part of the 7.2.3 release.

Chris Swinney · ‎04-16-2014

Oops, sorry, misread post - again!. Dyslexia is a pain.

Martin Koch · ‎04-16-2014

Hi Chris!

The general statement should be: upgrade to: X8.1.1

Whatever version you are running on.

That said there are still some deployment and migration scenarios which simply do not work

with X8 (like ldap auth and provisioning, TMSPE in general, OCS relay, Traversal zone interop, ... )

Thats why I said, with so many changes and lack of interop there must be a backport.

I can understand that new features or enhancements can not be part of it.

Security issues should be something which need to get fixed in such kind of interop.

Sure Heartbleed is fixed, but other bugs were not, which is not great.

So X7.2.3 for the ones which really, really have no other chance (and where Cisco still

needs to show them a way on how to migrate and till then fix other bugs as well).

And X8.1.1 for all others! (what ever version: X1,2,3,4,5,6,7 they run on).

And just as a side joke regards features and changes.

Check on youtube for "south park and it's gone" - that story is about money and banks, but project that to IT companies and beloved features and functionality

Please remember to rate helpful responses and identify

Wayne DeNardi · ‎04-15-2014

Edit: Duplicate post

Wayne

Please remember to mark helpful responses and to set your question as answered if appropriate.

Joseph Honkaheimo · ‎04-16-2014

7.2.3 has been released to fix the Heartbleed issue.

Cheers.

Daniel Girard · ‎04-19-2014

Hi,

I've a question about upgrade from X7 to X8.1.1. How or Where to get the Release Key for X8.1.1 version?

Thanks!

Martin Koch · ‎04-19-2014

If you have a valid service contract you should be able to get it via:

http://www.cisco.com/web/go/license

https://tools.cisco.com/SWIFT/LicensingUI/upgradeLicense?SubGroup=TBSWRELKEYCNTRCT1

or your Cisco Partner.

If your service contract is expired, please contact Cisco TAC and refer to:

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-heartbleed

Please remember to rate helpful responses and identify