Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5563
Views
15
Helpful
10
Replies

HeartBleed vulnerability on AnyConnect for iOS

Go to solution
Travis Ryan
Level 1
Level 1

‎04-09-2014 08:13 AM - edited ‎02-21-2020 07:35 PM

Does anyone have additional information on this vulnerability? This security post: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-heartbleed

 

Tells us that "Cisco AnyConnect Secure Mobility Client for iOS" is an affected product, but doesn't tell us what versions are at risk.

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
stsargen
Cisco Employee
Cisco Employee
In response to Marvin Rhoads

‎04-11-2014 10:12 AM

This build with this fix has been posted to the iTunes store.

AnyConnect for Apple iOS 3.0.09353 is now available for download from the Apple App Store

Resolves CSCuo17488 – AnyConnect for iOS is vulnerable to CVE-2014-0160 – Heartbleed

 

Download: https://itunes.apple.com/us/app/cisco-anyconnect/id392790924

Release notes: http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect30/release/notes/rn-ac3-0-iOS.html

 

** Please note the two upgrade instructions pasted below which are applicable to all upgrades of AnyConnect software on Apple iOS

 

Disconnect AnyConnect connection before upgrading

Please make sure your AnyConnect VPN is disconnected when you upgrade. Otherwise, you may fail to connect after the upgrade with the following error: ”Could not connect to VPN server, Please verify internet connectivity and server address.” This issue can be fixed by a device reboot.

 

Apple iOS Connect On Demand Considerations

To ensure proper establishment of Connect On Demand VPN tunnels after updating AnyConnect, users must manually start the AnyConnect app and establish a connection. If this is not done, upon the next iOS system attempt to establish a VPN tunnel, the error message "The VPN Connection requires an application to start up" will display.

View solution in original post

10 Replies 10

Go to solution
Travis Ryan
Level 1
Level 1

‎04-09-2014 08:37 AM

Just got a response from Cisco TAC, only version 3.2(1130) is affected.

0 Helpful

Go to solution
james
Level 1
Level 1
In response to Travis Ryan

‎04-09-2014 08:57 AM

Can you tell us what version 3.2(1130) is available on?  I am running Version: 3.0.09266 on an Iphone and looking at the ITunes APP store this is the latest version.  Is the IOS version affected by the bug only specific to certain IOS devices?

0 Helpful

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to james

‎04-11-2014 06:17 AM

https://tools.cisco.com/bugsearch/bug/CSCuo17488/?reffering_site=dumpcr

This bug is/will be fixed in 003.000(9353)

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Marcin Latosiewicz

‎04-11-2014 06:57 AM

Good find, Marcin - thanks!

0 Helpful

Go to solution
stsargen
Cisco Employee
Cisco Employee
In response to Marvin Rhoads

‎04-11-2014 10:12 AM

This build with this fix has been posted to the iTunes store.

AnyConnect for Apple iOS 3.0.09353 is now available for download from the Apple App Store

Resolves CSCuo17488 – AnyConnect for iOS is vulnerable to CVE-2014-0160 – Heartbleed

 

Download: https://itunes.apple.com/us/app/cisco-anyconnect/id392790924

Release notes: http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect30/release/notes/rn-ac3-0-iOS.html

 

** Please note the two upgrade instructions pasted below which are applicable to all upgrades of AnyConnect software on Apple iOS

 

Disconnect AnyConnect connection before upgrading

Please make sure your AnyConnect VPN is disconnected when you upgrade. Otherwise, you may fail to connect after the upgrade with the following error: ”Could not connect to VPN server, Please verify internet connectivity and server address.” This issue can be fixed by a device reboot.

 

Apple iOS Connect On Demand Considerations

To ensure proper establishment of Connect On Demand VPN tunnels after updating AnyConnect, users must manually start the AnyConnect app and establish a connection. If this is not done, upon the next iOS system attempt to establish a VPN tunnel, the error message "The VPN Connection requires an application to start up" will display.

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Travis Ryan

‎04-09-2014 08:59 AM

That's odd - the latest version of AnyConnect for iOS I'm aware of is 3.0.09266:

     https://itunes.apple.com/us/app/cisco-anyconnect/id392790924?mt=8

0 Helpful

Go to solution
jbergen01
Level 1
Level 1
In response to Travis Ryan

‎04-09-2014 01:20 PM

Also note that on the windows platform the latest version i am aware of is 3.1.0x. are they saying that even the next release will have this vulnerability?

 

http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect31/release/notes/anyconnect31rn.html

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to jbergen01

‎04-09-2014 06:35 PM

jbergen01 -

Cisco AnyConnect Secure Mobility Client for desktop platforms is confirmed NOT to have the vulnerability.

 

Please refer to the url in the OP.

0 Helpful

Go to solution
brentb9193
Level 1
Level 1

‎04-10-2014 05:36 AM

I would also like to know what iOS versions are affected.

0 Helpful
Customers Also Viewed These Support Documents