What about cisco anyconnect?

MeMySelfundCisco · ‎04-08-2014

The Tops of our company came to us this morning and where all panic like:

http://heartbleed.com/

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160

Does anybody know if and what WLC Versions are a problem?

Thanks alot for your help!

MJonkers · ‎04-08-2014

What about cisco anyconnect? http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160

MeMySelfundCisco · ‎04-08-2014

yeah, ALL cisco products for that matter - but at the moment I´m just responsible for the WLC´s :D (As they have "external" access because of the Guest users..)

gwes · ‎04-09-2014

Products Confirmed Not Vulnerable

The following Cisco products have been analyzed and are not affected by this vulnerability:

Cisco Adaptive Security Appliance (ASA) Software
Cisco ACE Application Control Engine
Cisco AnyConnect Secure Mobility Client for desktop platforms
Cisco AnyConnect Secure Mobility Client for Android
Cisco CSS 11500 Series Content Services Switches

MJonkers · ‎04-08-2014

See also http://www.kb.cert.org/vuls/id/720951 Cisco not yet reported.

bikejunkie · ‎04-08-2014

It would be good to know the breakdown of which products, if any are exposed. We are looking specifically for Ironport Email Security Appliances and the email encryption appliance IEA devices.

Thanks!

gwes · ‎04-09-2014

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-heartbleed

mike.b.simpson · ‎04-08-2014

Seems that ASA are affected according to some test exploit site.

gwes · ‎04-09-2014

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-heartbleed

Vulnerable Products

The following Cisco products are affected by this vulnerability:

Cisco AnyConnect Secure Mobility Client for iOS
Cisco Desktop Collaboration Experience DX650
Cisco Unified 7900, 8900, 9900 series IP Phones
Cisco TelePresence Video Communication Server (VCS)

Travis Ryan · ‎04-09-2014

Does anyone know specifically what versions of the AnyConnect Client for iOS are vulnerable?

joshhunter · ‎04-10-2014

Hey, So according to the Cisco Security Advisory the WLC is listed as non vulnerable - So the WLC HTTPs WebGUI cert does not internally use OpenSSL or at least a vulnerable version.

What about those who are using a Captive Portal for Guest Wireless?

Many people use OpenSSL to convert 3rd Party certificates for the Portal as per the Cisco guides?

joshhunter · ‎04-30-2014

I have the answer to my question:

Please refer to the following link which mentioned that we can’t use any other versions than openssl 0.9.8, since the controller will not accept the certificate, please check the following links which mentioned that:

http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/109597-csr-chained-certificates-wlc-00.html#conf

https://supportforums.cisco.com/document/102151/certificate-signing-requests-wlc-open-ssl

Reuben Farrelly · ‎05-01-2014

That's no longer the case. OpenSSL 1.0 is supported from WLC 7.5.102 onwards.

This means if you have 7.6.X or above you should be OK to use OpenSSL 1.0 . I successfully used 1.0.1g on a very up to date Gentoo Linux box only a week ago to convert, chain and upload a new wildcard certificate to my WLC.

See: https://tools.cisco.com/bugsearch/bug/CSCti65315 for further information about this bug.

HeartBleed SSL Bug - Cisco WLC´s a concern?

Products Confirmed Not Vulnerable

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-heartbleed

Vulnerable Products