<html dir="ltr">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-2022-jp">
</head>
<body dir="auto" fpstyle="1" ocsi="0">
<div style="direction: ltr;font-family: Tahoma;color: #000000;font-size: 10pt;">Lelio,
<div><br>
</div>
<div>UCM information should be clear in the next update.</div>
<div><br>
</div>
<div>-Wes</div>
<div><br>
</div>
<div>
<div style="font-family: Times New Roman; color: #000000; font-size: 16px">
<hr tabindex="-1">
<div id="divRpF746220" style="direction: ltr;"><font face="Tahoma" size="2" color="#000000"><b>From:</b> Lelio Fulgenzi [lelio@uoguelph.ca]<br>
<b>Sent:</b> Thursday, April 10, 2014 7:24 PM<br>
<b>To:</b> Wes Sisk (wsisk)<br>
<b>Cc:</b> Brian Meade; cisco-voip voyp list<br>
<b>Subject:</b> Re: [cisco-voip] openSSL and heartbleed<br>
</font><br>
</div>
<div></div>
<div>
<div>Thanks Wes. </div>
<div><br>
</div>
<div>I can imagine the amount of work involved in figuring all this out. </div>
<div><br>
</div>
<div>My comment was more towards the verbiage included in the advisory. </div>
<div><br>
</div>
<div>That is, does "Unified Communications Server 9.2" refer to "Unified Communications Manager"?</div>
<div><br>
</div>
<div>I only ask because I've made assumptions like this in the past only to be surprised. <br>
<br>
Sent from my iPhone</div>
<div><br>
On 2014-04-10, at 6:27 PM, "Wes Sisk (wsisk)" <<a href="mailto:wsisk@cisco.com" target="_blank">wsisk@cisco.com</a>> wrote:<br>
<br>
</div>
<blockquote type="cite">
<div><style type="text/css" id="owaParaStyle"></style>
<div style="direction:ltr; font-family:Tahoma; color:#000000; font-size:10pt">Jumping in -
<div><br>
</div>
<div>Updates are WIP Lelio. My expectation, as of timestamp of this email, is that UCM 9.x may not be affected. 10.x may be affected.</div>
<div><br>
</div>
<div>We are still validating.</div>
<div><br>
</div>
<div>-Wes<br>
<div style="font-family:Times New Roman; color:#000000; font-size:16px">
<hr tabindex="-1">
<div id="divRpF822655" style="direction:ltr"><font face="Tahoma" size="2" color="#000000"><b>From:</b> cisco-voip [<a href="mailto:cisco-voip-bounces@puck.nether.net" target="_blank">cisco-voip-bounces@puck.nether.net</a>] on behalf of Lelio Fulgenzi [<a href="mailto:lelio@uoguelph.ca" target="_blank">lelio@uoguelph.ca</a>]<br>
<b>Sent:</b> Thursday, April 10, 2014 4:47 PM<br>
<b>To:</b> Brian Meade<br>
<b>Cc:</b> cisco-voip voyp list<br>
<b>Subject:</b> Re: [cisco-voip] openSSL and heartbleed<br>
</font><br>
</div>
<div></div>
<div>
<div style="font-family:verdana,helvetica,sans-serif; font-size:10pt; color:#000000">
Brian,<br>
<br>
In reading the advisory, it's not clear if Communication Manager v9 and earlier is addressed. There is something called Cisco Unified Communication Server (UCM) 9.2 and earlier, but that's confusing because it's not the name and there is no v9.2 available.<br>
<br>
<a href="http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-heartbleed" target="_blank">http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-heartbleed</a><br>
<br>
Any chance on getting this cleared up?<br>
<br>
Lelio<br>
<br>
<br>
<div><span name="x"></span>---<br>
Lelio Fulgenzi, B.A.<br>
Senior Analyst, Network Infrastructure<br>
Computing and Communications Services (CCS)<br>
University of Guelph<br>
<br>
519$B!>(B824$B!>(B4120 Ext 56354<br>
<a href="mailto:lelio@uoguelph.ca" target="_blank">lelio@uoguelph.ca</a><br>
<a href="http://www.uoguelph.ca/ccs" target="_blank">www.uoguelph.ca/ccs</a><br>
Room 037, Animal Science and Nutrition Building<br>
Guelph, Ontario, N1G 2W1<span name="x"></span><br>
</div>
<br>
<hr id="zwchr">
<div style="color:#000; font-weight:normal; font-style:normal; text-decoration:none; font-family:Helvetica,Arial,sans-serif; font-size:12pt">
<b>From: </b>"Brian Meade" <<a href="mailto:bmeade90@vt.edu" target="_blank">bmeade90@vt.edu</a>><br>
<b>To: </b>"Lelio Fulgenzi" <<a href="mailto:lelio@uoguelph.ca" target="_blank">lelio@uoguelph.ca</a>><br>
<b>Cc: </b>"cisco-voip voyp list" <<a href="mailto:cisco-voip@puck.nether.net" target="_blank">cisco-voip@puck.nether.net</a>><br>
<b>Sent: </b>Tuesday, April 8, 2014 7:49:18 PM<br>
<b>Subject: </b>Re: [cisco-voip] openSSL and heartbleed<br>
<br>
<p dir="ltr">Should all be the same underlying OS. 10.x would be the only one I'd worry about until someone can check if it is vulnerable since it may have a newer openssl version.</p>
<div class="gmail_quote">On Apr 8, 2014 7:34 PM, "Lelio Fulgenzi" <<a href="mailto:lelio@uoguelph.ca" target="_blank">lelio@uoguelph.ca</a>> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex; border-left:1px #ccc solid; padding-left:1ex">
<div dir="auto">
<div>Thanks Brian. </div>
<div><br>
</div>
<div>Can we assume that ELM and UCCx is also not affected? Same 9.x train. </div>
<div><br>
</div>
<div><br>
<br>
Sent from my iPhone</div>
<div><br>
On 2014-04-08, at 7:21 PM, Brian Meade <<a href="mailto:bmeade90@vt.edu" target="_blank">bmeade90@vt.edu</a>> wrote:<br>
<br>
</div>
<blockquote>
<div>
<div dir="ltr">Here we can see CUCM does not respond to the Heartbeat Request with any data:
<div><image.png>
<div>
<div><br>
</div>
</div>
</div>
<div>For the root inclined, we can find what openssl version is running:</div>
<div>
<div>[root@CUCM912 ~]# openssl version</div>
<div>OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008</div>
</div>
<div><br>
</div>
<div>This new heartbeat bug isn't valid as OpenSSL didn't even implement responding to the Heartbeat Requests until version 1.0.1. This is why CUCM doesn't respond with any data.</div>
<div><br>
</div>
<div>I don't have a 10.x box to check with right now.</div>
<div><br>
</div>
<div>Brian</div>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Tue, Apr 8, 2014 at 7:01 PM, Brian Meade <span dir="ltr">
<<a href="mailto:bmeade90@vt.edu" target="_blank">bmeade90@vt.edu</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex; border-left:1px #ccc solid; padding-left:1ex">
<div dir="ltr">Here's what I found testing against 9.1.2.10000.28 with a slightly modified python script:
<div>
<div>
<div>bmeade@ubuntu:~$ python vulnscript 10.3.11.250</div>
<div>Connecting...</div>
<div>Sending Client Hello...</div>
<div>Waiting for Server Hello...</div>
<div> ... received message: type = 22, ver = 0301, length = 1012</div>
<div>Sending heartbeat request...</div>
<div>Unexpected EOF receiving record header - server closed connection</div>
<div>No heartbeat response received, server likely not vulnerable</div>
</div>
</div>
<div><br>
</div>
<div>This is assuming the released script is checking for the vulnerability properly.</div>
<span><font color="#888888">
<div><br>
</div>
<div>Brian</div>
</font></span></div>
<div>
<div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Tue, Apr 8, 2014 at 5:51 PM, Brian Meade <span dir="ltr">
<<a href="mailto:bmeade90@vt.edu" target="_blank">bmeade90@vt.edu</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex; border-left:1px #ccc solid; padding-left:1ex">
<div dir="ltr">I haven't seen one. Currently trying to run the example python script against one of my clusters but having some trouble.</div>
<div>
<div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Tue, Apr 8, 2014 at 5:24 PM, Lelio Fulgenzi <span dir="ltr">
<<a href="mailto:lelio@uoguelph.ca" target="_blank">lelio@uoguelph.ca</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex; border-left:1px #ccc solid; padding-left:1ex">
<div>
<div style="font-size:10pt; font-family:verdana,helvetica,sans-serif">weird. for some reason i fixated on the date beneath the entry in the search listing which had 2011, which made more sense.<br>
<br>
do you know if there is a more recent advisory?
<div><br>
<br>
<div><span></span>---<br>
Lelio Fulgenzi, B.A.<br>
Senior Analyst, Network Infrastructure<br>
Computing and Communications Services (CCS)<br>
University of Guelph<br>
<br>
<a href="tel:519%E2%80%90824%E2%80%904120%20Ext%2056354" target="_blank">519$B!>(B824$B!>(B4120 Ext 56354</a><br>
<a href="mailto:lelio@uoguelph.ca" target="_blank">lelio@uoguelph.ca</a><br>
<a href="http://www.uoguelph.ca/ccs" target="_blank">www.uoguelph.ca/ccs</a><br>
Room 037, Animal Science and Nutrition Building<br>
Guelph, Ontario, N1G 2W1<span></span><br>
</div>
<br>
<hr>
</div>
<div style="font-size:12pt; font-style:normal; font-family:Helvetica,Arial,sans-serif; text-decoration:none; font-weight:normal">
<b>From: </b>"Brian Meade" <<a href="mailto:bmeade90@vt.edu" target="_blank">bmeade90@vt.edu</a>><br>
<b>To: </b>"Lelio Fulgenzi" <<a href="mailto:lelio@uoguelph.ca" target="_blank">lelio@uoguelph.ca</a>><br>
<b>Cc: </b>"cisco-voip voyp list" <<a href="mailto:cisco-voip@puck.nether.net" target="_blank">cisco-voip@puck.nether.net</a>><br>
<b>Sent: </b>Tuesday, April 8, 2014 5:16:32 PM<br>
<b>Subject: </b>Re: [cisco-voip] openSSL and heartbleed
<div>
<div><br>
<br>
<div dir="ltr">I don't think that's the correct advisory. That's a DoS vulnerability from 2004.
<div><br>
</div>
<div>Brian</div>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Tue, Apr 8, 2014 at 5:11 PM, Lelio Fulgenzi <span dir="ltr">
<<a href="mailto:lelio@uoguelph.ca" target="_blank">lelio@uoguelph.ca</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex; border-left:1px #ccc solid; padding-left:1ex">
<div>
<div style="font-size:10pt; font-family:verdana,helvetica,sans-serif">nevermind... my first search did not produce results...<br>
<br>
<a href="http://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-20040317-openssl.html" target="_blank">http://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-20040317-openssl.html</a>
<div><br>
<br>
<div><span></span>---<br>
Lelio Fulgenzi, B.A.<br>
Senior Analyst, Network Infrastructure<br>
Computing and Communications Services (CCS)<br>
University of Guelph<br>
<br>
<a href="tel:519%E2%80%90824%E2%80%904120%20Ext%2056354" target="_blank">519$B!>(B824$B!>(B4120 Ext 56354</a><br>
<a href="mailto:lelio@uoguelph.ca" target="_blank">lelio@uoguelph.ca</a><br>
<a href="http://www.uoguelph.ca/ccs" target="_blank">www.uoguelph.ca/ccs</a><br>
Room 037, Animal Science and Nutrition Building<br>
Guelph, Ontario, N1G 2W1<span></span><br>
</div>
<br>
</div>
<hr>
<div style="font-size:12pt; font-style:normal; font-family:Helvetica,Arial,sans-serif; text-decoration:none; font-weight:normal">
<b>From: </b>"Lelio Fulgenzi" <<a href="mailto:lelio@uoguelph.ca" target="_blank">lelio@uoguelph.ca</a>><br>
<b>To: </b>"cisco-voip voyp list" <<a href="mailto:cisco-voip@puck.nether.net" target="_blank">cisco-voip@puck.nether.net</a>><br>
<b>Sent: </b>Tuesday, April 8, 2014 5:09:01 PM<br>
<b>Subject: </b>openSSL and heartbleed
<div>
<div><br>
<br>
<div style="font-size:10pt; font-family:verdana,helvetica,sans-serif"><br>
Does anyone know if/when Cisco will be coming out with a security advisory about Open SSL and heartbleed?<br>
<br>
<a href="http://threatpost.com/seriousness-of-openssl-heartbleed-bug-sets-in/105309" target="_blank">http://threatpost.com/seriousness-of-openssl-heartbleed-bug-sets-in/105309</a><br>
<br>
<br>
<br>
<div><span></span>---<br>
Lelio Fulgenzi, B.A.<br>
Senior Analyst, Network Infrastructure<br>
Computing and Communications Services (CCS)<br>
University of Guelph<br>
<br>
<a href="tel:519%E2%80%90824%E2%80%904120%20Ext%2056354" target="_blank">519$B!>(B824$B!>(B4120 Ext 56354</a><br>
<a href="mailto:lelio@uoguelph.ca" target="_blank">lelio@uoguelph.ca</a><br>
<a href="http://www.uoguelph.ca/ccs" target="_blank">www.uoguelph.ca/ccs</a><br>
Room 037, Animal Science and Nutrition Building<br>
Guelph, Ontario, N1G 2W1<span></span><br>
</div>
<br>
</div>
</div>
</div>
</div>
<br>
</div>
</div>
<br>
_______________________________________________<br>
cisco-voip mailing list<br>
<a href="mailto:cisco-voip@puck.nether.net" target="_blank">cisco-voip@puck.nether.net</a><br>
<a href="https://puck.nether.net/mailman/listinfo/cisco-voip" target="_blank">https://puck.nether.net/mailman/listinfo/cisco-voip</a><br>
<br>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</div>
<br>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</blockquote>
</div>
</blockquote>
</div>
</div>
<br>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
</div>
</div>
</div>
</body>
</html>