Guest

Products & Services

Multiple Vulnerabilities in OpenSSL Affecting Cisco Products

Advisory ID: cisco-sa-20140605-openssl

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140605-openssl

Revision 1.28

Last Updated  2015 March 27 19:50  UTC (GMT)

For Public Release 2014 June 5 22:40  UTC (GMT)


Summary

Multiple Cisco products incorporate a version of the OpenSSL package affected by one or more vulnerabilities that could allow an unauthenticated, remote attacker to execute arbitrary code, create a denial of service (DoS) condition, or perform a man-in-the-middle attack. On June 5, 2014, the OpenSSL Project released a security advisory detailing seven distinct vulnerabilities. The vulnerabilities are referenced in this document as follows:

  • SSL/TLS Man-in-the-Middle Vulnerability
  • DTLS Recursion Flaw Vulnerability
  • DTLS Invalid Fragment Vulnerability
  • SSL_MODE_RELEASE_BUFFERS NULL Pointer Dereference Vulnerability
  • SSL_MODE_RELEASE_BUFFERS Session Injection or Denial of Service Vulnerability
  • Anonymous ECDH Denial of Service Vulnerability
  • ECDSA NONCE Side-Channel Recovery Attack Vulnerability

Please note that the devices that are affected by this vulnerability are the devices acting as a Secure Sockets Layer (SSL) or Datagram Transport Layer Security (DTLS) server terminating SSL or DTLS connections or devices acting as an SSL client initiating an SSL or DTLS connection. Devices that are simply traversed by SSL or DTLS traffic without terminating it are not affected.

Cisco will release free software updates that address these vulnerabilities.

Workarounds that mitigate these vulnerabilities may be available.

This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140605-openssl

Affected Products

Customers that wish to inquire about a product that is not currently listed in the sections below should contact the Cisco TAC or their support provider and open a TAC Case.

Vulnerable Products

Collaboration and Social Media
Endpoint Clients and Client Software
Network Application, Service, and Acceleration
  • Cisco ACE Application Control Engine Module (ACE10, ACE20) (CSCup28056)
  • Cisco ACE Application Control Engine Module (ACE30) (CSCup22544)
  • Cisco ACE Application Control Engine Appliance (ACE4710) (CSCup22544)
  • Cisco Wide Area Application Services (WAAS) (CSCup22648)

Network and Content Security Devices
  • Cisco Adaptive Security Appliance (ASA) Software (CSCup22532)
  • Cisco ASA CX Context-Aware Security (CSCup24314)
  • Cisco Content Security Management Appliance (SMA) (CSCup22506)
  • Cisco Email Security Appliance (ESA) (CSCup21571)
  • Cisco NAC Appliance (Clean Access Server) (CSCup24014)
  • Cisco NAC Manager (Clean Access Manager) (CSCup24028)
  • Cisco NAC Guest Server (CSCup24002)
  • Cisco IPS (CSCup22652)
  • Cisco Identity Service Engine (ISE) (CSCup22534)
  • Cisco Physical Access Gateways (CSCup22414)
  • Cisco Secure Access Control Server (ACS) (CSCup22665)
  • Cisco Small Business ISA500 Series Integrated Security Appliances (CSCup24029)
  • Cisco Virtual Security Gateway for Microsoft Hyper-V (CSCup22419)
  • Cisco Virtual Security Gateway for VMware (CSCup22419)
  • Cisco Web Security Appliance (WSA) (CSCup22522)

Network Management and Provisioning
Routing and Switching - Enterprise and Service Provider
Routing and Switching - Small Business
  • Cisco RV180W Wireless-N VPN Router (CSCuo18692)
  • Cisco RV220W Wireless-N VPN Router (CSCuo18692)
  • Cisco WAG310G Wireless-G ADSL2+ Gateway with VoIP (CSCup22426)

Unified Computing
Video, Streaming, TelePresence, and Transcoding Devices
  • Cisco D9036 Modular Encoding Platform (CSCup23995)
  • Cisco Digital Media Manager (DMM) (CSCup24174)
  • Cisco Edge 300 Digital Media Player (CSCup24260)
  • Cisco Edge 340 Digital Media Player (CSCup24248)
  • Cisco Digital Media Players (DMP) 4300 Series (CSCup92446)
  • Cisco Digital Media Players (DMP) 4400 Series (CSCup92446)
  • Cisco Expressway Series (CSCup25151)
  • Cisco Enterprise Content Delivery System (ECDS) (CSCup24139)
  • Cisco Hosted Collaboration Mediation Fulfillment (HCM-F) (CSCup24156)
  • Cisco Internet Streamer (CDS) (CSCup30939)
  • Cisco IP Video Phone E20 (CSCup23984)
  • Cisco MediaSense (CSCup24113)
  • Cisco PowerVu D9190 Conditional Access Manager (PCAM) (CSCup24013)
  • Cisco TelePresence Advanced Media Gateway Series (CSCup29733)
  • Cisco TelePresence Conductor (CSCup22610)
  • Cisco TelePresence Content Server (TCS) (CSCup22349)
  • Cisco TelePresence EX Series (CSCup25163)
  • Cisco TelePresence Exchange System (CTX) (CSCup23979)
  • Cisco TelePresence Integrator C Series (CSCup25163)
  • Cisco TelePresence IP Gateway Series (CSCup22636)
  • Cisco TelePresence IP VCR Series (CSCup23998)
  • Cisco TelePresence ISDN GW 3241 (CSCup22632)
  • Cisco TelePresence ISDN GW MSE 8321 (CSCup22632)
  • Cisco TelePresence ISDN Link (CSCup23978)
  • Cisco TelePresence MCU all series (CSCup23994)
  • Cisco TelePresence Multipoint Switch (CTMS) (CSCup23980)
  • Cisco TelePresence MX Series (CSCup25163)
  • Cisco TelePresence MXP Series (CSCup23989)
  • Cisco TelePresence Profile Series (CSCup25163)
  • Cisco TelePresence Recording Server (CTRS) (CSCup22338)
  • Cisco TelePresence Serial Gateway Series (CSCup22633)
  • Cisco TelePresence Server 8710, 7010 (CSCup22629)
  • Cisco TelePresence Server on Multiparty Media 310, 320 (CSCup22629)
  • Cisco TelePresence Server on Virtual Machine (CSCup22629)
  • Cisco TelePresence Supervisor MSE 8050 (CSCup22635)
  • Cisco TelePresence SX Series (CSCup25163)
  • Cisco TelePresence System 1000 (CSCup22603)
  • Cisco TelePresence System 1100 (CSCup22603)
  • Cisco TelePresence System 1300 (CSCup22603)
  • Cisco TelePresence 1310 (CSCup22603)
  • Cisco TelePresence System 3000 Series (CSCup22603)
  • Cisco TelePresence System 500-32 (CSCup22603)
  • Cisco TelePresence System 500-37 (CSCup22603)
  • Cisco TelePresence TX 9000 Series (CSCup22603)
  • Cisco TelePresence T Series (T3) (CSCup25163)
  • Cisco TelePresence Video Communication Server (VCS) (CSCup25151)
  • Tandberg Codian ISDN GW 3210/3220/3240 (CSCup22632)
  • Tandberg Codian MSE 8320 model (CSCup22632)
  • Tandberg 770/880/990 MXP Series (CSCup23989)
  • Cisco Video Surveillance 3000 Series IP Cameras (CSCup22372)
  • Cisco Video Surveillance 4000 Series IP Cameras (CSCup22381)
  • Cisco Video Surveillance 4300E/4500E High-Definition IP Cameras (CSCup22377)
  • Cisco Video Surveillance 6000 Series IP Cameras (CSCup22372)
  • Cisco Video Surveillance 7000 Series IP Cameras (CSCup22372)
  • Cisco Video Surveillance PTZ IP Cameras (CSCup22372)
  • Cisco Videoscape AnyRes Live (CAL) (CSCup24177)
  • Cisco Virtualization Experience Media Engine (CSCup47300)

Voice and Unified Communications Devices
  • Cisco Agent Desktop for Cisco Unified Contact Center Enterprise and Hosted (CSCup24189)
  • Cisco Agent Desktop for Cisco Unified Contact Center Express (CSCup34257)
  • Cisco ATA 187 Analog Telephone Adapter (CSCup24458)
  • Cisco ATA 190 Series Analog Telephone Adapter (CSCup24100)
  • Cisco Desktop Collaboration Experience DX650 (CSCup22514)
  • Cisco Emergency Responder (CER) (CSCup24079)
  • Cisco Paging Server (CSCup24093)
  • Cisco SPA112 2-Port Phone Adapter (CSCup24514)
  • Cisco SPA122 ATA with Router (CSCup24514)
  • Cisco SPA232D Multi-Line DECT ATA (CSCup24514)
  • Cisco SPA300 Series IP Phones (CSCup39003)
  • Cisco SPA500 Series IP Phones (CSCup39003)
  • Cisco SPA510 Series IP Phones (CSCup39003)
  • Cisco SPA525 Series IP Phones (CSCup38998)
  • Cisco TAPI Service Provider (TSP) (CSCup35534)
  • Cisco Computer Telephony Integration Object Server (CTIOS) (CSCup24074)
  • Cisco Unified Attendant Console (all editions) (CSCup23967)
  • Cisco Unified Attendant Console Advanced (CSCup24304)
  • Cisco Unified Communications 500 Series (CSCup22590)
  • Cisco Unified Communications Manager (UCM) (CSCup22670)
  • Cisco Unified Communications Manager Session Management Edition (SME) (CSCup22670)
  • Cisco Unified Communications Widgets Click To Call (CSCup30489)
  • Cisco Unified Contact Center Enterprise (CSCup24074)
  • Cisco Unified Contact Center Express (CSCup24073)
  • Cisco Unified Domain Manager (CSCup24018)
  • Cisco Unified 6901/6911 IP Phones (CSCuq05675)
  • Cisco Unified 6945 IP Phone (CSCuq05680)
  • Cisco Unified 6921/6941/6961 Series IP Phones (CSCup22596)
  • Cisco Unified 7800 Series IP Phones (CSCup22531)
  • Cisco Unified 7900 Series IP Phones (CSCup22595)
  • Cisco Unified 8831 IP Phone (CSCup22638)
  • Cisco Unified 8941 IP Phone (CSCup22598)
  • Cisco Unified 8945 IP Phone (CSCup22598)
  • Cisco Unified 8961 IP Phone (CSCup22539)
  • Cisco Unified 9951 IP Phone (CSCup22539)
  • Cisco Unified 9971 IP Phone (CSCup22539)
  • Cisco Unified IM and Presence Services (CUPS) (CSCup22627)
  • Cisco Unified Intelligent Contact Management Enterprise (CSCup24074)
  • Cisco Unified IP Conference Phone 8831 (CSCup37353)
  • Cisco Unified Wireless IP Phone 2920 Series (CSCup37238)
  • Cisco Unified Workforce Optimization (CSCup22397)
  • Cisco Unity Connection (UC) (CSCup24038)

Wireless
  • Cisco Mobility Service Engine (MSE) (CSCup22619)
  • Cisco Universal Small Cell 5000 Series running V3.4.2.x software (CSCup22656)
  • Cisco Universal Small Cell 7000 Series running V3.4.2.x software (CSCup22656)
  • Cisco Wireless LAN Controller (WLC) (CSCup22587)
  • Small Cell Factory Recovery root Filesystem V2.99.4 or later (CSCup22656)

The following Cisco services were found to be affected by one or more of the vulnerabilities documented in this advisory.

Products Confirmed Not Vulnerable

Note: The following list includes Cisco applications that are intended to be installed on a customer-provided host (either a physical server or a virtual machine) with a customer-installed operating system. Those products may use the Transport Layer Security (TLS) or Datagram Transport Layer Security (DTLS) functionality as provided by the host operating system on which the Cisco product is installed. While those Cisco products do not directly include an affected version of OpenSSL (and therefore are not impacted by this vulnerability), Cisco recommends that customers review their host operating system installation and perform any upgrades necessary to address this vulnerability, according to the operating system vendor recommendations and general operating system security best practices.

The following Cisco products have been analyzed and are not affected by this vulnerability:


Collaboration and Social Media
  • Cisco Webex Social

Endpoint Clients and Client Software
  • Cisco IP Communicator
  • Cisco NAC Agent for Mac
  • Cisco NAC Agent for Web
  • Cisco NAC Agent for Windows
  • Cisco UC Integration for Microsoft Lync
  • Cisco Unified Personal Communicator
  • Cisco Unified Video Advantage
  • Webex Productivity Tools

Network Application, Service, and Acceleration
  • Cisco ACE GSS 4400 Series Global Site Selector
  • Cisco Application and Content Networking System (ACNS)
  • Cisco Extensible Network Controller (XNC)
  • Cisco Wide Area Application Services (WAAS) Mobile

Network and Content Security Devices
  • Cisco Adaptive Security Device Manager
  • Cisco Content Security Appliance Updater Servers
  • Cisco IronPort Encryption Appliance (IEA)
  • Cisco Physical Access Manager

Network Management and Provisioning
  • Cisco Digital Media Manager (DMM)
  • Cisco Discovery Service
  • Cisco Insight Reporter
  • Cisco Linear Stream Manager
  • Cisco Prime Analytics
  • Cisco Prime Cable Provisioning
  • Cisco Prime Collaboration Assurance Manager
  • Cisco Prime Home
  • Cisco Prime Provisioning for SPs
  • Cisco Show and Share (SnS)
  • Cisco Unified Intelligence Center
  • Cisco Unified Provisioning Manager (CUPM)
  • Cisco Wireless Control System (WCS)
  • CiscoWorks Network Compliance Manager
  • Prime Collaboration Provisioning - 10.0

Routing and Switching - Enterprise and Service Provider
  • Cisco Broadband Access Center Telco Wireless
  • Cisco Nexus 4000 Series

Voice and Unified Communications Devices
  • Cisco Billing and Measurements Server
  • Cisco Finesse
  • Cisco MGC Node Manage (CMNM)
  • Cisco PSTN Gateway (PGW 2200)
  • Cisco Remote Silent Monitoring
  • Cisco SPA8000 8-port IP Telephony Gateway
  • Cisco SPA8800 IP Telephony Gateway with 4 FXS and 4 FXO Ports
  • Cisco Unified 3900 series IP Phones
  • Cisco Unified Contact Center Domain Manager
  • Cisco Unified Contact Center Management Portal
  • Cisco Unified Customer Voice Portal (CVP)
  • Cisco Unified E-Mail Interaction Manager
  • Cisco Unified Operations Manager (CUOM)
  • Cisco Unified Service Monitor
  • Cisco Unified Sip Proxy
  • Cisco Unified Web Interaction Manager
  • Cisco Virtual PGW 2200 Softswitch
  • Exony VIM/CCDM/CCMP

Video, Streaming, TelePresence, and Transcoding Devices
  • Cisco AnyRes VOD (CAV)
  • Cisco D9034-S Encoder
  • Cisco D9054 HDTV Encoder
  • Cisco D9804 Multiple Transport Receiver
  • Cisco D9824 Advanced Multi Decryption Receiver
  • Cisco D9854/D9854-I Advanced Program Receiver
  • Cisco D9858 Advanced Receiver Transcoder
  • Cisco D9859 Advanced Receiver Transcoder
  • Cisco D9865 Satellite Receiver
  • Cisco DCM Series 9900-Digital Content Manager
  • Cisco TelePresence Management Suite (TMS)
  • Cisco TelePresence Management Suite Analytics Extension (TMSAE)
  • Cisco TelePresence Management Suite Extension (TMSXE)
  • Cisco TelePresence Management Suite Extension for IBM
  • Cisco TelePresence Management Suite Provisioning Extension
  • Cisco TelePresence Manager (CTSMan)
  • Cisco Unified Service Statistics Manager

Cisco Hosted Services
  • Cisco One Portal
  • Cisco Services Provisioning Platform (SPP)
  • Cisco SmartConnection
  • Cisco SmartReports
  • Cisco Unified Services Delivery Platform (CUSDP)
  • Cisco Universal Small Cell CloudBase
  • Cisco WebEx WebOffice & Workspace
  • Cisco Webex Messenger Service

Details

The OpenSSL Project disclosed seven vulnerabilities on June 5, 2014. One or more of these vulnerabilities affect both client and server installations of OpenSSL. The vulnerability names and the associated Common Vulnerabilities and Exposures (CVE) IDs are as follows.

The impact of these vulnerabilities on Cisco products may vary depending on the affected product.

For Cisco products, please refer to the information provided in the Cisco bug IDs listed in the Affected Products section of this document. Additional information and detailed instructions are available in the Cisco installation, configuration, and maintenance guides for each product. If additional clarification or advice is needed, please contact your support organization.

SSL/TLS Man-in-the-Middle Vulnerability

An unauthenticated, remote attacker with the ability to intercept traffic between an affected client and server could successfully execute a man-in-the-middle attack.

This vulnerability has been assigned CVE ID CVE-2014-0224.

DTLS Recursion Flaw Vulnerability

An unauthenticated, remote attacker that can convince an affected client to connect to an attacker-controlled server could send an affected device a crafted DTLS packet. This could result in a partial or complete DoS condition on the affected device.

This vulnerability has been assigned CVE ID CVE-2014-0221.

DTLS Invalid Fragment Vulnerability

An unauthenticated, remote attacker could send a crafted DTLS packet to an affected device designed to trigger a buffer overflow condition. This could allow the attacker to gain the ability to execute arbitrary code with elevated privileges.

This vulnerability has been assigned CVE ID CVE-2014-0195.

SSL_MODE_RELEASE_BUFFERS NULL Pointer Dereference Vulnerability

An unauthenticated, remote attacker could submit a malicious request designed to trigger a NULL pointer dereference. This could result in a partial or complete DoS condition on the affected device.

This vulnerability has been assigned CVE ID CVE-2014-0198.

SSL_MODE_RELEASE_BUFFERS Session Injection or Denial of Service Vulnerability

An unauthenticated, remote attacker could submit a malicious request designed to inject content into a parallel context or trigger a DoS condition.

This vulnerability has been assigned CVE ID CVE-2010-5298.

Anonymous ECDH Denial of Service Vulnerability

An unauthenticated, remote attacker that can convince an affected client to connect to an attacker-controlled server could submit a crafted certificate designed to trigger a NULL pointer dereference. If successful, the attacker could create a DoS condition.

This vulnerability has been assigned CVE ID CVE-2014-3470.

ECDSA NONCE Side-Channel Recovery Attack Vulnerability

An attacker with the ability to run an application on an affected device could recover portions of ECDSA cryptographic materials via a side-channel attack. This could allow the attacker to reconstruct encryption keys used for the protection of network communications.

This vulnerability has been assigned CVE ID CVE-2014-0076.

For additional details, customers are advised to reference the OpenSSL Project security advisory: http://www.openssl.org/news/secadv_20140605.txt

Vulnerability Scoring Details

Cisco has scored the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this security advisory is in accordance with CVSS version 2.0.

CVSS is a standards-based scoring method that conveys vulnerability severity and helps organizations determine the urgency and priority of a response.

Cisco has provided a base and temporal score. Customers can also compute environmental scores that help determine the impact of the vulnerability in their own networks.

Cisco has provided additional information regarding CVSS at the following link:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html

Cisco has also provided a CVSS calculator to compute the environmental impact for individual networks at the following link:
http://intellishield.cisco.com/security/alertmanager/cvss


SSL/TLS Man-in-the-Middle Vulnerability

CVE-2014-0224

CVSS Base Score - 4.3

Access Vector

Access Complexity

Authentication

Confidentiality Impact

Integrity Impact

Availability Impact

 Network

 Medium

 None

 None

 Partial

 None

CVSS Temporal Score - 3.6

Exploitability

Remediation Level

Report Confidence

 Functional

 Official Fix

 Confirmed


DTLS Recursion Flaw Vulnerability

CVE-2014-0221

CVSS Base Score - 7.1

Access Vector

Access Complexity

Authentication

Confidentiality Impact

Integrity Impact

Availability Impact

 Network

 Medium

 None

 None

 None

 Complete

CVSS Temporal Score - 5.9

Exploitability

Remediation Level

Report Confidence

 Functional

 Official Fix

 Confirmed


DTLS Invalid Fragment Vulnerability

CVE-2014-0195

CVSS Base Score - 10.0

Access Vector

Access Complexity

Authentication

Confidentiality Impact

Integrity Impact

Availability Impact

 Network

 Low

 None

 Complete

 Complete

 Complete

CVSS Temporal Score - 8.3

Exploitability

Remediation Level

Report Confidence

 Functional

 Official Fix

 Confirmed


SSL_MODE_RELEASE_BUFFERS NULL Pointer Dereference Vulnerability

CVE-2014-0198

CVSS Base Score - 7.1

Access Vector

Access Complexity

Authentication

Confidentiality Impact

Integrity Impact

Availability Impact

 Network

 Medium

 None

 None

 None

 Complete

CVSS Temporal Score - 7.8

Exploitability

Remediation Level

Report Confidence

 Functional

 Official Fix

 Confirmed


SSL_MODE_RELEASE_BUFFERS Session Injection or Denial of Service Vulnerability

CVE-2010-5298

CVSS Base Score - 7.8

Access Vector

Access Complexity

Authentication

Confidentiality Impact

Integrity Impact

Availability Impact

 Network

 Medium

 None

 None

 Partial

 Complete

CVSS Temporal Score - 6.4

Exploitability

Remediation Level

Report Confidence

 Functional

 Official Fix

 Confirmed


Anonymous ECDH Denial of Service Vulnerability

CVE-2014-3470

CVSS Base Score - 7.1

Access Vector

Access Complexity

Authentication

Confidentiality Impact

Integrity Impact

Availability Impact

 Network

 Medium

 None

 None

 None

 Complete

CVSS Temporal Score - 7.8

Exploitability

Remediation Level

Report Confidence

 Functional

 Official Fix

 Confirmed



ECDSA NONCE Side-Channel Recovery Attack Vulnerability

CVE-2014-0076

CVSS Base Score - 1.9

Access Vector

Access Complexity

Authentication

Confidentiality Impact

Integrity Impact

Availability Impact

 Local

 Medium

 None

 Partial

 None

 None

CVSS Temporal Score - 1.6

Exploitability

Remediation Level

Report Confidence

 Functional

 Official Fix

 Confirmed

Impact

Successful exploitation of these vulnerabilities may allow an attacker to perform a man-in-the-middle attack, create a denial of service condition, disclose sensitive information, or execute arbitrary code with elevated privileges.

To determine the impact on a specific Cisco product, refer to the Cisco bug ID, available from the Cisco Bug Search Tool.

Software Versions and Fixes

When considering software upgrades, customers are advised to consult the Cisco Security Advisories, Responses, and Notices archive at http://www.cisco.com/go/psirt and review subsequent advisories to determine exposure and a complete upgrade solution.

In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.

Workarounds

For potential workarounds on a specific Cisco product, refer to the Cisco bug ID, available from the Cisco Bug Search Tool.

Cisco has published an Event Response for this vulnerability:
http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_OpenSSL_06052014.html

Obtaining Fixed Software

Cisco will release free software updates that address the vulnerabilities described in this advisory as affected products are identified. Prior to deploying software, customers are advised to consult their maintenance providers or check the software for feature set compatibility and known issues that are specific to their environments.

Customers may only install and expect support for feature sets they have purchased. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license at http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html.

Customers with Service Contracts

Customers with contracts should obtain upgraded software through their regular update channels. For most customers, upgrades should be obtained through the Software Navigator on Cisco.com at http://www.cisco.com/cisco/software/navigator.html.

Customers using Third Party Support Organizations

Customers with Cisco products that are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers, should contact that organization for assistance with the appropriate course of action.

The effectiveness of any workaround or fix depends on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Because of the variety of affected products and releases, customers should consult their service providers or support organizations to ensure that any applied workaround or fix is the most appropriate in the intended network before it is deployed.

Customers without Service Contracts

Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco Technical Assistance Center (TAC):
  • +1 800 553 2447 (toll free from within North America)
  • +1 408 526 7209 (toll call from anywhere in the world)
  • email: tac@cisco.com

Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Customers without service contracts should request free upgrades through the TAC.

Refer to Cisco Worldwide Contacts at http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, instructions, and email addresses for support in various languages.

Exploitation and Public Announcements

The Cisco Product Security Incident Response Team (PSIRT) is not aware of any malicious use of the vulnerabilities that are described in this advisory.

These vulnerabilities were publicly disclosed by the OpenSSL Project on June 5, 2014.

Status of this Notice: Final

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors.


Distribution

This advisory is posted on Cisco Security at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140605-openssl

Additionally, a text version of this advisory is clear signed with the Cisco PSIRT PGP key and circulated among the following email addresses:
  • cust-security-announce@cisco.com
  • first-bulletins@lists.first.org
  • bugtraq@securityfocus.com
  • vulnwatch@vulnwatch.org
  • cisco@spot.colorado.edu
  • cisco-nsp@puck.nether.net
  • fulldisclosure@seclists.org

Future updates of this advisory, if any, will reside on Cisco.com but may not be announced on mailing lists. Users can monitor this advisory's URL for any updates.

Revision History

Revision 1.28 2015-March-27 The Products Under Investigation, Vulnerable, and Confirmed Not Vulnerable sections have been updated. Advisory Status moved to Final, no additional updates expected.
Revision 1.27 2015-March-13 The Products Under Investigation, Vulnerable, and Confirmed Not Vulnerable sections have been updated.
Revision 1.26 2015-February-25 Updated the Affected Produccts and Confirmed Vulnerable Sections.
Revision 1.25 2015-January-26 Updated the Affected Products and Products Confirmed Not Vulnerable sections.
Revision 1.24 2014-November-26 Updated the Affected Products and Products Confirmed Not Vulnerable sections.
Revision 1.23 2014-November-12 Updated the Affected Products, Vulnerable Products, and Products Confirmed Not Vulnerable sections. Linked bug IDs of currently known affected products.
Revision 1.22 2014-October-30 Updated the Affected Products, Vulnerable Products, and Products Confirmed Not Vulnerable sections. Linked bug IDs of currently known affected products.
Revision 1.21 2014-August-06 Updated the Affected Products and Vulnerable Products sections. Linked bug IDs of currently known affected products.
Revision 1.20 2014-July-30 Added secondary bug ID CSCup22663 for Nexus 2000, 5000, 5600, and 6000. Updated the Vulnerable Products section. Linked bug IDs of currently known affected products.
Revision 1.19 2014-July-23 Updated the Affected Products, Vulnerable Products, and Products Confirmed Not Vulnerable sections. Linked bug IDs of currently known affected products.
Revision 1.18 2014-July-18 Updated the Affected Products, Vulnerable Products, and Products Confirmed Not Vulnerable sections. Linked bug IDs of currently known affected products.
Revision 1.17 2014-July-14 Updated the Affected Products, Vulnerable Products. Linked bug IDs of currently known affected products.
Revision 1.16 2014-July-09 Updated the Affected Products, Vulnerable Products, and Products Confirmed Not Vulnerable sections. Linked bug IDs of currently known affected products.
Revision 1.15 2014-July-07 Updated the Affected Products, Vulnerable Products, and Products Confirmed Not Vulnerable sections. Linked bug IDs of currently known affected products.
Revision 1.14 2014-July-03 Updated the Affected Products, Vulnerable Products, and Products Confirmed Not Vulnerable sections. Linked bug IDs of currently known affected products.
Revision 1.13 2014-June-27 Updated the Affected Products, Vulnerable Products, and Products Confirmed Not Vulnerable sections. Linked bug IDs of currently known affected products.
Revision 1.12 2014-June-25 Updated the Affected Products, Vulnerable Products, and Products Confirmed Not Vulnerable sections. Linked bug IDs of currently known affected products.
Revision 1.11 2014-June-23 Updated the Affected Products, Vulnerable Products, and Products Confirmed Not Vulnerable sections. Linked bug IDs of currently known affected products.
Revision 1.10 2014-June-20 Updated the Affected Products, Vulnerable Products, and Products Confirmed Not Vulnerable sections. Linked bug IDs of currently known affected products.
Revision 1.9 2014-June-19 Updated the Affected Products, Vulnerable Products, and Products Confirmed Not Vulnerable sections. Linked bug IDs of currently known affected products.
Revision 1.8 2014-June-18 Updated the Affected Products, Vulnerable Products, and Products Confirmed Not Vulnerable sections. Linked bug IDs of currently known affected products.
Revision 1.7 2014-June-16 Updated the Affected Products, Vulnerable Products, and Products Confirmed Not Vulnerable sections. Linked bug IDs of currently known affected products.
Revision 1.6 2014-June-13 Updated the Affected Products, Vulnerable Products, and Products Confirmed Not Vulnerable sections. Linked bug IDs of currently known affected products.
Revision 1.5 2014-June-12 Updated the Affected Products, Vulnerable Products, and Products Confirmed Not Vulnerable sections. Linked bug IDs of currently known affected products.
Revision 1.4 2014-June-11 Updated the Affected Products, Vulnerable Products, and Products Confirmed Not Vulnerable sections. Linked bug IDs of currently known affected products.
Revision 1.3 2014-June-10 Updated the Affected Products and Products Confirmed Not Vulnerable sections. Linked bug IDs of currently known affected products. Provided clarification in Products Confirmed Not Vulnerable section regarding customer-maintained operating systems.
Revision 1.2 2014-June-09 Updated the Affected Products and Products Confirmed Not Vulnerable sections. Linked bug IDs of currently known affected products.
Revision 1.1 2014-June-06 Updated the Affected Products and Products Confirmed Not Vulnerable sections.
Revision 1.0 2014-June-05 Initial public release.

Cisco Security Procedures

Complete information about reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco is available on Cisco.com at http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html. This web page includes instructions for press inquiries regarding Cisco Security Advisories. All Cisco Security Advisories are available at http://www.cisco.com/go/psirt.