OpenSSL Heartbleed vulnerability CVE-2014-0160 – Cisco products and mitigations
*** UPDATED 15-April 2014 ***
By now, almost everyone has heard of the OpenSSL Heartbleed vulnerability with CVE id CVE-2014-0160. The vulnerability has to do with the implementation of the TLS heartbeat extension (RFC6520) and could allow secret key or private information leakage in TLS encrypted communications. For more detailed information, visit the VRT’s analysis.
Cisco maintains an Cisco Event Response Page with details and network mitigations about the vulnerability
Effective use of Cisco Sourcefire Next-Generation Intrusion Prevention System (NGIPS) event actions provides visibility into and protection against attacks that attempt to exploit this vulnerability. The Sourcefire Snort SIDs for this vulnerability are 30510 through 30517. VRT also wrote Snort signatures 30520 through 30523 for exploit attempts against OpenSSL clients
Effective use of Cisco Intrusion Prevention System (IPS) event actions provides visibility into and protection against attacks that attempt to exploit this vulnerability. The corresponding Signature IDs for Cisco IPS written for the vulnerability are 4187/0 and 4187/1 which are included as part of Cisco IPS Signature Update Package S785, 4187/2 as part of Cisco IPS Signature Update Package S786 and 4187/3 and 4187/4 as part of Cisco IPS Signature Update Package S787.
Administrators can configure IPS sensors to perform an event action when an attack is detected. The configured event action performs preventive or deterrent controls to help protect against an attack that is attempting to exploit the Heartbleed vulnerability. An IPS device that is not put inline and configured to drop malicious packets will only alert on attempts to exploit this vulnerability and will not prevent (mitigate) these attempts from becoming successful.
For more details on IPS signatures for this vulnerability, refer to the Mitigation section of the Cisco Event Response Page
For information on using Cisco Security Manager to view the activity from a Cisco IPS sensor, see Identification of Malicious Traffic Using Cisco Security Manager white paper.
The Cisco Product Security Incident Response Team (PSIRT) is currently investigating which Cisco products are affected by this vulnerability. Cisco Advisory OpenSSL Heartbeat Extension Vulnerability in Multiple Cisco Products was just published and already includes information on vulnerable products and others confirmed not vulnerable. The advisory will be updated as additional information about other products becomes available. Cisco will release free software updates that address these vulnerabilities. Any updates specifically related to Cisco will be communicated according to the Cisco Security Vulnerability Policy.
The Cisco Computer Security Incident Response Team (CSIRT) is investigating Cisco public facing infrastructure that could be susceptible to this vulnerability in order to facilitate its remediation.