cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3274
Views
0
Helpful
11
Replies

Cisco TelePresence products vulnerable to CVE-2014-0160 -aka Heartbleed

michalsabat
Level 1
Level 1

https://tools.cisco.com/bugsearch/bug/CSCuo26378

 

So when I have EX90 with version TC6.3.0.3d8e7d1 everything is OK or should I upgrade it to TC6.3.1

1 Accepted Solution

Accepted Solutions

Wayne DeNardi
VIP Alumni
VIP Alumni
TC6.3.0 is vulnerable. You'll need to upgrade to TC6.3.1 or TC7.1.1.
Wayne
--
Please remember to mark helpful responses and to set your question as answered if appropriate.

View solution in original post

11 Replies 11

You could check the EX series in this link:

https://tools.cisco.com/bugsearch/bug/CSCuo26378

Also see the official information:

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-heartbleed 

·         Cisco AnyConnect Secure Mobility Client for iOS [CSCuo17488] [*]

·         Cisco ASA CX Context-Aware Security [CSCuo24523]

·         Cisco Desktop Collaboration Experience DX650 [CSCuo16892]

·         Cisco Edge 340 Digital Media Player

·         Cisco IOS XE [CSCuo19730]

·         Cisco Mobility Service Engine (MSE) [CSCuo20622]

·         Cisco MS200X Ethernet Access Switch [CSCuo18736]

·         Cisco Nexus 1000V InterCloud [CSCuo18287]

·         Cisco Security Manager [CSCuo19265]

·         Cisco TelePresence 1310 [CSCuo20210]

·         Cisco TelePresence Conductor [CSCuo20306]

·         Cisco TelePresence EX Series [CSCuo26378]

·         Cisco Telepresence Integrator C Series [CSCuo26378]

·         Cisco TelePresence IP Gateway Series [CSCuo21597]

·         Cisco TelePresence ISDN GW 3241 [CSCuo21486]

·         Cisco TelePresence ISDN GW MSE 8321 [CSCuo21486]

·         Cisco TelePresence ISDN Link [CSCuo26686]

·         Cisco TelePresence MX Series [CSCuo26378]

·         Cisco TelePresence Profile Series [CSCuo26378]

·         Cisco TelePresence Serial Gateway Series [CSCuo21535]

·         Cisco TelePresence Server 8710, 7010 [CSCuo21468]

·         Cisco TelePresence Server on Multiparty Media 310, 320 [CSCuo21468]

·         Cisco TelePresence Server on Virtual Machine [CSCuo21468]

·         Cisco TelePresence System 1000 [CSCuo20210]

·         Cisco TelePresence System 1100 [CSCuo20210]

·         Cisco TelePresence System 1300 [CSCuo20210]

·         Cisco TelePresence System 3000 Series [CSCuo20210]

·         Cisco TelePresence System 500-32 [CSCuo20210]

·         Cisco TelePresence System 500-37 [CSCuo20210]

·         Cisco TelePresence Supervisor MSE 8050 [CSCuo21584]

·         Cisco TelePresence SX Series [CSCuo26378]

·         Cisco TelePresence TX 9000 Series [CSCuo20210] Version 6.1.2.0 and prior

·         Cisco TelePresence Video Communication Server (VCS) [CSCuo16472] [*]

·         Cisco Unified 7800 series IP Phones [CSCuo16987]

·         Cisco Unified 8961 IP Phone [CSCuo16938]

·         Cisco Unified 9951 IP Phone [CSCuo16938]

·         Cisco Unified 9971 IP Phone [CSCuo16938]

·         Cisco Unified Communications Manager (UCM) 10.0 [CSCuo17440]

·         Cisco Unified Presence Server (CUPS)[CSCuo21298], [CSCuo21289]

·         Cisco Universal Small Cell 5000 Series running V3.4.2.x software [CSCuo22301]

·         Cisco Universal Small Cell 7000 Series running V3.4.2.x software [CSCuo22301]

·         Cisco WebEx Meetings Server versions 2.x [CSCuo17528] [*]

·         FireAMP Private Cloud virtual appliance [*]

·         Small Cell factory recovery root filesystem V2.99.4 or later [CSCuo22358]

the affected version for Cisco Telepresence Integrator C Series [CSCuo26378is 5.0.0 and the fixes are on versions 5.1.11, 6.3.1 and 7.1.1 but our telepresence c40's versions are TC6.0.1.65adebe and TC6.2.0.20b1616. does that mean we're not affected?

 

    The TC5.0.0 in the link is a bit misleading/confusing. It's all versions since TC5.0.0.

    So, as yours are TC6.0.1 and TC6.2.0 they are both vulnerable. Please update to at least version TC6.3.1, or to TC7.1.1.

    Wayne
    --
    Please remember to mark helpful responses and to set your question as answered if appropriate.

    So if fixed release for version 5 is 5.1.11, but Cisco are not releasing this, why do they bother suggesting to upgrade to this version if it will not be available?

     

    If we have endpoints on 5.X which do not have a current support contract and access to a new release key, we cannot upgrade to a non vulnerable version.

    Cisco have never suggested upgrading to TC5.1.11 - it's just mentioned in one page as a "Known fixed release".  All discussions and other release information say to go to TC6.3.1, or preferably to the latest TC7.1.1.

    In the case of this vulnerability, if you contact the TAC and request an upgrade key to address this particular security vulnerability, they should happily provide you with one, even though you are not covered by an active service contract.

    See the "Customers Without Service Contracts" section under "Obtaining Fixed Software" in the Advisory.

    Wayne
    --
    Please remember to rate responses and to mark your question as answered if appropriate.

    Wayne
    --
    Please remember to mark helpful responses and to set your question as answered if appropriate.

    Wayne DeNardi
    VIP Alumni
    VIP Alumni
    TC6.3.0 is vulnerable. You'll need to upgrade to TC6.3.1 or TC7.1.1.
    Wayne
    --
    Please remember to mark helpful responses and to set your question as answered if appropriate.

    What about CTS 500-32 and CTS 500-37? I have version 1.8.2 and 1.9.3.

    Are they vulnerable?

    Yes.  See [CSCuo20210] in Carroyoc's earlier post in this thread.

    Wayne
    --
    Please remember to mark helpful responses and to set your question as answered if appropriate.

    d_ornelas
    Level 1
    Level 1

    We have several Ex90's and profile 52 series.  All running version TC5.1.5.297625   according to the bug this version is vulnerable.  Where do we get version 5.1.11  I dont see it in the download section. or do we upgrade to 7.1.1

    http://software.cisco.com/download/release.html?mdfid=283645001&flowid=21867&softwareid=280886992&release=7.1.1&relind=AVAILABLE&rellifecycle=&reltype=latest

    TC5.1.11 is listed as a fixed version, but it was never released - the released versions are TC6.3.1 and TC7.1.1.  You'll need to upgrade to one of those.

    Wayne
    --
    Please remember to mark helpful responses and to set your question as answered if appropriate.

    oliverpowell
    Level 1
    Level 1

    So if fixed release for version 5 is 5.1.11, but Cisco are not releasing this, why do they bother suggesting to upgrade to this version if it will not be available?

     

    If we have endpoints on 5.X which do not have a current support contract and access to a new release key, we cannot upgrade to a non vulnerable version.

    Getting Started

    Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: