[cisco-voip] openSSL and heartbleed
Wes Sisk (wsisk)
wsisk at cisco.com
Thu Apr 10 22:08:39 EDT 2014
Lelio,
UCM information should be clear in the next update.
-Wes
________________________________
From: Lelio Fulgenzi [lelio at uoguelph.ca]
Sent: Thursday, April 10, 2014 7:24 PM
To: Wes Sisk (wsisk)
Cc: Brian Meade; cisco-voip voyp list
Subject: Re: [cisco-voip] openSSL and heartbleed
Thanks Wes.
I can imagine the amount of work involved in figuring all this out.
My comment was more towards the verbiage included in the advisory.
That is, does "Unified Communications Server 9.2" refer to "Unified Communications Manager"?
I only ask because I've made assumptions like this in the past only to be surprised.
Sent from my iPhone
On 2014-04-10, at 6:27 PM, "Wes Sisk (wsisk)" <wsisk at cisco.com<mailto:wsisk at cisco.com>> wrote:
Jumping in -
Updates are WIP Lelio. My expectation, as of timestamp of this email, is that UCM 9.x may not be affected. 10.x may be affected.
We are still validating.
-Wes
________________________________
From: cisco-voip [cisco-voip-bounces at puck.nether.net<mailto:cisco-voip-bounces at puck.nether.net>] on behalf of Lelio Fulgenzi [lelio at uoguelph.ca<mailto:lelio at uoguelph.ca>]
Sent: Thursday, April 10, 2014 4:47 PM
To: Brian Meade
Cc: cisco-voip voyp list
Subject: Re: [cisco-voip] openSSL and heartbleed
Brian,
In reading the advisory, it's not clear if Communication Manager v9 and earlier is addressed. There is something called Cisco Unified Communication Server (UCM) 9.2 and earlier, but that's confusing because it's not the name and there is no v9.2 available.
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-heartbleed
Any chance on getting this cleared up?
Lelio
---
Lelio Fulgenzi, B.A.
Senior Analyst, Network Infrastructure
Computing and Communications Services (CCS)
University of Guelph
519‐824‐4120 Ext 56354
lelio at uoguelph.ca<mailto:lelio at uoguelph.ca>
www.uoguelph.ca/ccs<http://www.uoguelph.ca/ccs>
Room 037, Animal Science and Nutrition Building
Guelph, Ontario, N1G 2W1
________________________________
From: "Brian Meade" <bmeade90 at vt.edu<mailto:bmeade90 at vt.edu>>
To: "Lelio Fulgenzi" <lelio at uoguelph.ca<mailto:lelio at uoguelph.ca>>
Cc: "cisco-voip voyp list" <cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>>
Sent: Tuesday, April 8, 2014 7:49:18 PM
Subject: Re: [cisco-voip] openSSL and heartbleed
Should all be the same underlying OS. 10.x would be the only one I'd worry about until someone can check if it is vulnerable since it may have a newer openssl version.
On Apr 8, 2014 7:34 PM, "Lelio Fulgenzi" <lelio at uoguelph.ca<mailto:lelio at uoguelph.ca>> wrote:
Thanks Brian.
Can we assume that ELM and UCCx is also not affected? Same 9.x train.
Sent from my iPhone
On 2014-04-08, at 7:21 PM, Brian Meade <bmeade90 at vt.edu<mailto:bmeade90 at vt.edu>> wrote:
Here we can see CUCM does not respond to the Heartbeat Request with any data:
<image.png>
For the root inclined, we can find what openssl version is running:
[root at CUCM912 ~]# openssl version
OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
This new heartbeat bug isn't valid as OpenSSL didn't even implement responding to the Heartbeat Requests until version 1.0.1. This is why CUCM doesn't respond with any data.
I don't have a 10.x box to check with right now.
Brian
On Tue, Apr 8, 2014 at 7:01 PM, Brian Meade <bmeade90 at vt.edu<mailto:bmeade90 at vt.edu>> wrote:
Here's what I found testing against 9.1.2.10000.28 with a slightly modified python script:
bmeade at ubuntu:~$ python vulnscript 10.3.11.250
Connecting...
Sending Client Hello...
Waiting for Server Hello...
... received message: type = 22, ver = 0301, length = 1012
Sending heartbeat request...
Unexpected EOF receiving record header - server closed connection
No heartbeat response received, server likely not vulnerable
This is assuming the released script is checking for the vulnerability properly.
Brian
On Tue, Apr 8, 2014 at 5:51 PM, Brian Meade <bmeade90 at vt.edu<mailto:bmeade90 at vt.edu>> wrote:
I haven't seen one. Currently trying to run the example python script against one of my clusters but having some trouble.
On Tue, Apr 8, 2014 at 5:24 PM, Lelio Fulgenzi <lelio at uoguelph.ca<mailto:lelio at uoguelph.ca>> wrote:
weird. for some reason i fixated on the date beneath the entry in the search listing which had 2011, which made more sense.
do you know if there is a more recent advisory?
---
Lelio Fulgenzi, B.A.
Senior Analyst, Network Infrastructure
Computing and Communications Services (CCS)
University of Guelph
519‐824‐4120 Ext 56354<tel:519%E2%80%90824%E2%80%904120%20Ext%2056354>
lelio at uoguelph.ca<mailto:lelio at uoguelph.ca>
www.uoguelph.ca/ccs<http://www.uoguelph.ca/ccs>
Room 037, Animal Science and Nutrition Building
Guelph, Ontario, N1G 2W1
________________________________
From: "Brian Meade" <bmeade90 at vt.edu<mailto:bmeade90 at vt.edu>>
To: "Lelio Fulgenzi" <lelio at uoguelph.ca<mailto:lelio at uoguelph.ca>>
Cc: "cisco-voip voyp list" <cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>>
Sent: Tuesday, April 8, 2014 5:16:32 PM
Subject: Re: [cisco-voip] openSSL and heartbleed
I don't think that's the correct advisory. That's a DoS vulnerability from 2004.
Brian
On Tue, Apr 8, 2014 at 5:11 PM, Lelio Fulgenzi <lelio at uoguelph.ca<mailto:lelio at uoguelph.ca>> wrote:
nevermind... my first search did not produce results...
http://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-20040317-openssl.html
---
Lelio Fulgenzi, B.A.
Senior Analyst, Network Infrastructure
Computing and Communications Services (CCS)
University of Guelph
519‐824‐4120 Ext 56354<tel:519%E2%80%90824%E2%80%904120%20Ext%2056354>
lelio at uoguelph.ca<mailto:lelio at uoguelph.ca>
www.uoguelph.ca/ccs<http://www.uoguelph.ca/ccs>
Room 037, Animal Science and Nutrition Building
Guelph, Ontario, N1G 2W1
________________________________
From: "Lelio Fulgenzi" <lelio at uoguelph.ca<mailto:lelio at uoguelph.ca>>
To: "cisco-voip voyp list" <cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>>
Sent: Tuesday, April 8, 2014 5:09:01 PM
Subject: openSSL and heartbleed
Does anyone know if/when Cisco will be coming out with a security advisory about Open SSL and heartbleed?
http://threatpost.com/seriousness-of-openssl-heartbleed-bug-sets-in/105309
---
Lelio Fulgenzi, B.A.
Senior Analyst, Network Infrastructure
Computing and Communications Services (CCS)
University of Guelph
519‐824‐4120 Ext 56354<tel:519%E2%80%90824%E2%80%904120%20Ext%2056354>
lelio at uoguelph.ca<mailto:lelio at uoguelph.ca>
www.uoguelph.ca/ccs<http://www.uoguelph.ca/ccs>
Room 037, Animal Science and Nutrition Building
Guelph, Ontario, N1G 2W1
_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20140411/7546532b/attachment.html>
More information about the cisco-voip
mailing list