Though the now-infamous Heartbleed bug is currently being patched by many companies on the website level, the OpenSSL data encryption flaw also affects an unknown amount of networking hardware from companies including Cisco Systems.
Cisco published a bulletin on its site, warning that some of its networking hardware and software, which includes routers, Ethernet switches, access points, and more, is affected by the Heartbleed bug, a flaw in the OpenSSL data encryption software used by many of the world’s websites. Though most of this hardware wouldn’t be found in the average person’s home, the hardware that Cisco identifies as vulnerable is likely used by private companies, governments, and other organizations.
We reached out to Cisco for comment, and asked whether a patched website would still be vulnerable to Heartbleed if the organization running the site is still using Cisco hardware and/or services to keep it up and running. Nigel Glennie, Senior Manager of Global Corporate Communcations for Cisco, responded to our request for comment, stating that the list of affected hardware and services “are not going to be the type of products that allow the exploitation of user data on a website.”
However, that seems to run contrary to Cisco’s own bulletin, which states that “Multiple Cisco products incorporate a version of the OpenSSL package affected by a vulnerability that could allow an unauthenticated, remote attacker to retrieve memory in chunks of 64 kilobytes from a connected client or server.” On top of that, the bulletin also states that “disclosed portions of memory could contain sensitive information that may include private keys and passwords.”
Digital Trends is currently awaiting clarification on the apparent discrepancy between Glennie’s statement and Cisco’s published security advisory.
Here’s the list of Cisco networking hardware and services that’s affected by the Heartbleed bug, according to the firm’s official bulletin, as of this writing. Cisco will continue to update these lists, so check back with this Security Advisory page often.
- Cisco AnyConnect Secure Mobility Client for iOS [CSCuo17488]
- Cisco Desktop Collaboration Experience DX650
- Cisco Unified 7800 series IP Phones
- Cisco Unified 8961 IP Phone
- Cisco Unified 9951 IP Phone
- Cisco Unified 9971 IP Phone
- Cisco IOS XE [CSCuo19730]
- Cisco Unified Communications Manager (UCM) 10.0
- Cisco Universal Small Cell 5000 Series running V3.4.2.x software
- Cisco Universal Small Cell 7000 Series running V3.4.2.x software
- Small Cell factory recovery root filesystem V2.99.4 or later
- Cisco MS200X Ethernet Access Switch
- Cisco Mobility Service Engine (MSE)
- Cisco TelePresence Video Communication Server (VCS) [CSCuo16472]
- Cisco TelePresence Conductor
- Cisco TelePresence Supervisor MSE 8050
- Cisco TelePresence Server 8710, 7010
- Cisco TelePresence Server on Multiparty Media 310, 320
- Cisco TelePresence Server on Virtual Machine
- Cisco TelePresence ISDN Gateway 8321 and 3201 Series
- Cisco TelePresence Serial Gateway Series
- Cisco TelePresence IP Gateway Series
- Cisco WebEx Meetings Server versions 2.x [CSCuo17528]
- Cisco Security Manager [CSCuo19265]
Cisco is also currently investigating whether any of its other networking products are vulnerable to Heartbleed. Here’s a list of the hardware and services that the firm is looking into as of this writing.
- Cisco IOS XR
- Cisco Nexus 1000V Series Switches
- Cisco Nexus 4000 Series Switches
- Cisco Nexus 5000 Series Switches
- Cisco Nexus 6000 Series Switches
- Cisco Nexus 9000 Series Switches
- Cisco IPS
- Cisco Webex Messenger
- Cisco Jabber client
- Cisco OnePK All-in-One VM
- Cisco DCM Series 9900-Digital Content Manager
- Cisco D9034-S Encoder
- Cisco D9054 HDTV Encoder
- Cisco Show and Share
- WebEx Social
- Cisco Adaptive Security Device Manager (ASDM)
- Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module (FWSM)
- Cisco Digital Media Manager
- Cisco Digital Media Players
- Cisco Edge 300 Digital Media Player
- Cisco Edge 340 Digital Media Player
- Cisco Emergency Responder
- Cisco Internet Streamer CDS
- Cisco Enterprise Content Delivery System (ECDS)
- Cisco IP Communicator
- Cisco TelePresence Recording Server
- Cisco Network Analysis Module Software (NAM)
- Cisco Wireless Location Appliance
- CiscoWorks Wireless LAN Solution Engine (WLSE)
- Cisco Physical Access Gateways
- Cisco Physical Access Manager
- Cisco Video Surveillance Media Server Software
- Cisco Video Surveillance Operations Manager Software
- Cisco NetFlow Generation Appliance 3240
- Cisco Prime Data Center Network Manager
- Cisco Prime Analytics for SPs
- Cisco Prime Central for SPs
- Cisco Prime Provisioning for SPs
- Cisco Prime Performance Manager for SPs
- Cisco Prime Optical for SPs
- Cisco Prime Network Services Controller (formerly the Cisco Virtual Network Management Center)
- Cisco Prime Network Registrar
- Cisco Unified Contact Center Products
- Cisco Unified Department Attendant Console
- Cisco Unified E-Mail Interaction Manager
- Cisco Unified Enterprise Attendant Console
- Cisco Unified Mobility
- Cisco Unified Operations Manager
- Cisco Unified Personal Communicator
- Cisco Unified Presence
- Cisco Unified Provisioning Manager
- Cisco Unified Quick Connect
- Cisco Unified Service Monitor
- Cisco Unified Service Statistics Manager
- Cisco UCS Invicta Series Solid State Systems
- Cisco NAC Server
- Cisco NAC Manager
- Cisco NAC Agent
- Cisco NAC Guest Server
- Cisco ONS 15454 Series Multiservice Provisioning Platforms
- Cisco Quantum Policy Server (QPS)
- Cisco TelePresence System 500
- Cisco TelePresence System 1100
- Cisco TelePresence System 1300 Series
- Cisco TelePresence System 3000 Series
- Cisco TelePresence System T Series
- Cisco IP Video Phone E20
- Cisco TelePresence MX Series
- Cisco TelePresence EX Series
- Cisco Telepresence Integrator C Series
- Cisco TelePresence Profile Series
- Cisco TelePresence SX Series
- Cisco TelePresence Movi with Precision HD USB / Jabber Video
- Cisco TelePresence MXP Series
- Cisco TelePresence MCU all series
- Cisco TelePresence Advanced Media Gateway Series
- Cisco TelePresence IP VCR Series
- Cisco TelePresence ISDN GW 3241
- Tandberg Codian ISDN GW 3210/3220/3240
- Tandberg Codian MSE 8310 model
- Tandberg 770/880/990 MXP Series
Finally, here’s a list of Cisco hardware that has been analyzed by the company, and deemed to be not vulnerable to Heartbleed, as of this writing.
- Cisco IOS
- Cisco MDS Switches
- Cisco Nexus 3000 Series Switches
- Cisco Nexus 7000 Series Switches
- Cisco Adaptive Security Appliance (ASA) Software
- Cisco ACE Application Control Engine Module
- Cisco ACE Application Control Engine Appliance
- Cisco AnyConnect Secure Mobility Client for desktop platforms
- Cisco AnyConnect Secure Mobility Client for Android
- Cisco CSS 11500 Series Content Services Switches
- Cisco Unified 7900 series IP Phones
- Cisco Unified 6900 series IP Phones
- Cisco Unified 3900 series IP Phones
- Cisco Unified 8941 IP Phone
- Cisco Unified 8945 IP Phone
- Cisco Unified IP Conference Phone 8831
- Cisco Unified Communications Manager (UCM) 9.1(2) and earlier
- Cisco Unified Communications Domain Manager
- Cisco Unified Business Attendant Console
- Cisco Unified Department Attendant Console
- Cisco Unified Enterprise Attendant Console
- Cisco Identity Service Engine (ISE)
- Cisco Secure Access Control Server (ACS)
- Cisco Wireless Lan Controller (WLC)
- Cisco Wireless Control System (WCS)
- Cisco Web Security Appliance (WSA)
- Cisco Content Security Management Appliance (SMA)
- Cisco Email Security Appliance (ESA)
- Cisco IronPort Encryption Appliance (IEA)
- Cisco UCS Central
- Cisco UCS Fabric Interconnects
- Cisco UCS B-Series (Blade) Servers
- Cisco UCS C-Series (Stand alone Rack) Servers
- Cisco RV315W Wireless-N VPN Router
- Cisco RV215W Wireless-N VPN Router
- Cisco RV220W Wireless-N VPN Router
- Cisco RV180W Wireless-N VPN Router
- Cisco RV120W Wireless-N VPN Router
- Cisco RV110W Wireless-N VPN Router
- Cisco CVR100W Wireless-N VPN Router
- Cisco RV325 VPN Router
- Cisco RV320 VPN Router
- Cisco RV180 VPN Router
- Cisco RV082 VPN Router
- Cisco RV042 VPN Router
- Cisco RV016 VPN Router
- Cisco 200 Series Smart Switches
- Cisco 300 Series Managed Switches
- Cisco 500 Series Stackable Managed Switches
- Cisco ESW2 Series Advanced Switches
- Cisco WAP121 Wireless-N Access Point
- Cisco WAP321 Wireless Access Point
- Cisco WAP551/561 Wireless-N Access Point
- Cisco WAP4410N Wireless-N Access Point
- Cisco Meraki Cloud Managed Indoor Access Points
- Cisco Meraki Cloud-Managed Outdoor Access Points
- Cisco Meraki MX Security Appliances
- Cisco Meraki MS Access Switches
- Cisco WebEx Meetings Server versions 1.x
- Cisco Application and Content Networking System (ACNS) Software
- Cisco Wide Area Application Services (WAAS) Software
- Cisco ACE Global Site Selector Appliances (GSS)
- Cisco Prime Network Analysis Module (NAM)
- Cisco Prime Infrastructure
- Cisco Content Switching Module with SSL (CSM-S)
- Cisco SSL Services Module (SSLM)
- Cisco Intelligent Automation for Cloud
- Cisco Meraki Dashboard
- Cisco WebEx Meeting Center
- Cisco WebEx Support Center
- Cisco WebEx Training Center
- Cisco WebEx Event Center
- Cisco Universal Small Cell CloudBase
- Cisco Cloud Web Security
Image credit: http://images.china.cn
