Lucene search

K
ciscoCiscoCISCO-SA-20140409-HEARTBLEED
HistoryApr 09, 2014 - 3:00 a.m.

OpenSSL Heartbeat Extension Vulnerability in Multiple Cisco Products

2014-04-0903:00:00
tools.cisco.com
82

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

0.975 High

EPSS

Percentile

100.0%

Multiple Cisco products incorporate a version of the OpenSSL package affected by a vulnerability that could allow an unauthenticated, remote attacker to retrieve memory in chunks of 64 kilobytes from a connected client or server.

The vulnerability is due to a missing bounds check in the handling of the Transport Layer Security (TLS) heartbeat extension. An attacker could exploit this vulnerability by implementing a malicious TLS or Datagram Transport Layer Security (DTLS) client, if trying to exploit the vulnerability on an affected server, or a malicious TLS or DTLS server, if trying to exploit the vulnerability on an affected client. An exploit could send a specially crafted TLS or DTLS heartbeat packet to the connected client or server. An exploit could allow the attacker to disclose a limited portion of memory from a connected client or server for every heartbeat packet sent. The disclosed portions of memory could contain sensitive information that may include private keys and passwords.

Please note that the devices that are affected by this vulnerability are the devices acting as an SSL server terminating SSL connections or devices acting as an SSL Client initiating an SSL connection. Devices that are simply traversed by SSL traffic without terminating it are not affected.

This advisory will be updated as additional information becomes available. Cisco will release software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities may be available.
This advisory is available at the following link:

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-heartbleed[“https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-heartbleed”]

Affected configurations

Vulners
Node
ciscoanyconnect_secure_mobility_clientMatchany
OR
ciscotelepresence_video_communication_serverMatchany
OR
ciscodesktop_collaboration_experience_dx650Matchany
OR
ciscounified_ip_phones_9900_series_firmwareMatchany
OR
ciscounified_ip_phone_8945Matchany
OR
ciscoanyconnect_secure_mobility_clientMatchany
OR
ciscotelepresence_video_communication_serverMatchany
OR
ciscodesktop_collaboration_experience_dx650Matchany
OR
ciscounified_ip_phones_7906gMatch9900 Series Firmware
OR
ciscounified_ip_phoneMatch8945

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

0.975 High

EPSS

Percentile

100.0%