New VCS code is online (X8.1 - Page 3

Martin Koch · ‎04-09-2014

Hello there is a critical bug in openssl:

https://www.openssl.org/news/secadv_20140407.txt

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160

which also affects Cisco products, incl at least the VCS:

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-heartbleed

I further used a test tool and also got positive hits of that error on the conductor as well as on the web interface of TC7.1

(though a second test tool was not sure about the TC).

What I recommend:

* inform your local IT / security team

* check which components in your network use affected versions of openssl, there are also tools which you can use to connect to your

devices to see if they are affected. *1)

* regenerate the key and the cert so possibly old sniffed communication could not be decoded (if the attacker does not have the old key now anyhow)

* upgrade the affected components as fast as possible. You might need to contact your vendor to get an upgrade for your product

* regenerate keys and reissue certificates

* revoke old certificates

* change passwords

I also noticed that there are many VCS out which use the standard TANDBERG certificate. Thats bad anyhow.

Please generate your own certs and best, get them signed by a proper CA.

This document will help you about that:

http://www.cisco.com/en/US/docs/telepresence/infrastructure/vcs/config_guide/X8-1/Cisco-VCS-Certificate-Creation-and-Use-Deployment-Guide-X8-1.pdf

*1)

Perl: https://github.com/noxxi/p5-scripts/blob/master/check-ssl-heartbleed.pl

Metasploit: https://github.com/rapid7/metasploit-framework/pull/3206

NMAP: http://nmap.org/nsedoc/scripts/ssl-heartbleed.html

OpenVaS: https://gist.github.com/RealRancor/10140249

Nessus: http://www.tenable.com/plugins/index.php?view=single&id=73412

xkcd: http://xkcd.com/1353/

As this is a critical security issue, just a short disclaimer, this is an unofficial warning, please contact

your local IT / security advisors. The information here is collected from Internet postings and is best effort.

All information, links and procedures are handled on your own risk. ;-)

The official Cisco site for this is the PSIRT (Product Security Incident Response Team) http://www.cisco.com/go/psirt

Please remember to rate helpful responses and identify

Steve Kapinos · ‎04-10-2014

New VCS code is online (X8.1.1) - includes the fix for this for the VCS products.

Martin Koch · ‎04-10-2014

We still demand that there will be a fix of outstanding security issues in the X7 tree and backwards capability / option for the X8 traversal zone!

Please remember to rate helpful responses and identify

Tom Leinos · ‎04-10-2014

I concur.

Wayne DeNardi · ‎04-10-2014

I'll click the "me too" button on this!

We need X8.x to be able to talk with X7.x as not everything can be upgraded to X8.x all at once - so the backwards compatibility needs to be there.

And in the mean while, for all those sites we can't go to X8.x yet, there needs to be a fix for the X7.x train.

The requirement for it to be fixed in X7.x is also highlighted in the "Open Issues" section of the release notes, where one of the workarounds to issue CSCum90139 is to keep using X7.2.2.

Wayne
--
Please remember to rate responses and to mark your question as answered if appropriate.

Wayne

Please remember to mark helpful responses and to set your question as answered if appropriate.

Martin Koch · ‎04-10-2014

+5

Please remember to rate helpful responses and identify

Martin Koch · ‎04-10-2014

The VCS X8.1.1 can be found here:

http://software.cisco.com/download/release.html?mdfid=283733603&flowid=47102&softwareid=280886992&release=X8.1.1&relind=AVAILABLE&rellifecycle=&reltype=latest

These are the release notes:

http://www.cisco.com/c/dam/en/us/td/docs/telepresence/infrastructure/vcs/release_note/Cisco-VCS-Release-Note-X8-1-1.pdf

Btw, the release notes seem to be written with the hot needle, as the heatbleed bug is not

mentioned in the x8.1.1 changes section, but you will find the sections if you search for: 0160

Btw, the next not nice, bug, did not see a note that this is fixed in X8.1.1:

"VCS packet capture shows CUPS Usernames/Passwords in Plain Text"

https://tools.cisco.com/bugsearch/bug/CSCuo01271

Please remember to rate helpful responses and identify

Wayne DeNardi · ‎04-10-2014

And the next thing I don't think I like about X8.1.1 (apart from still not having backwards compatibility on traversal zones to X7.x) is, in the "Changes in X8.1.1" section - under Diagnostic logging - The tcpdump facility has been removed from the Diagnostic logging tool.

Wayne

Please remember to mark helpful responses and to set your question as answered if appropriate.

Martin Koch · ‎04-10-2014

No, tcpdump itself is still on the box, whats gone (think that was only in X8.1, if you went to

https://vcs-ip/loggingsnapshot

you had the option to download a tcpdump from the webinterface, guess such a gui feature generated to much trouble, I never tried it.

You can still find tcpdump on the root shell. (so not as bad as removing the root account on TC7.1, ... ;-)

Please remember to rate helpful responses and identify

Wayne DeNardi · ‎04-13-2014

The https://vcs-ip/loggingsnapshot was in X7.x as well as X8.1.

Given they're removing the linux command line access in other products and forcing you to the web interface (ie TC7.1 as mentioned) - to do the opposite with the VCS seems a little odd.

Wayne
--
Please remember to rate responses and to mark your question as answered if appropriate.

Wayne

Please remember to mark helpful responses and to set your question as answered if appropriate.

Patrick Sparkman · ‎04-29-2014

Looks like the reason they removed the packet capture feature from the VCS UI was due to a security issue, CSCuo01271.

Symptoms:
A vulnerability in the packet capture feature of the Cisco Telepresence VCS Expressway could allow an authenticated, local attacker to gain access to sensitive information.

Martin Koch · ‎04-11-2014

There is now a bug ID for the VCS: CSCuo16472

https://tools.cisco.com/bugsearch/bug/CSCuo16472

Please remember to rate helpful responses and identify

Martin Koch · ‎04-10-2014

Btw, at least VCS X7.1 (and possibly older) does not seem to be affected by the bug as it uses OpenSSL 1.0.0d

(only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected).

Just scanned one in my lab and it did not show up. Anyhow there are other bugs and

security issues, so thats not really an option neither, but it might be good to know.

Please remember to rate helpful responses and identify

Chris Swinney · ‎04-14-2014

Ignore my original comment I misread the bug report.

However, I now also see that the MXPs have been added to the "under investigation" list.

Cheers,

Chris

Steve Kapinos · ‎04-14-2014

versions 7.1 and PRIOR are not vunerable according to the defect writeup.

Remember, it's a relatively recent version of OpenSSL where the new functionality that was added that was vulnerable. All products using OpenSSL prior to v1.0.1 are not impacted.

Pinkesh Patel · ‎04-15-2014

Version X7.2.3 has just been released:

http://software.cisco.com/download/release.html?mdfid=283733603&softwareid=280886992&release=X7.2.3&relind=AVAILABLE&rellifecycle=&reltype=latest

Critical OpenSSL bug in VCS (and others) CVE-2014-0160