Cisco patched four different vulnerabilities this week in one of its core operating systems and is now is beginning to look into the potential impact of this week’s Heartbleed vulnerability in at least 60 of its other products.
The patches, released yesterday, fix problems in the company’s Adaptive Security Appliance (ASA) software that could have led to privilege escalation, authentication bypass, and opened products running ASA to a denial of service attack. ASA is a family of security devices, firewalls and other apps.
If exploited, an attacker could combine the first two vulnerabilities – a Privilege Escalation vulnerability in its Adaptive Security Device Manager (ASDM) and a SSL VPN Privilege Escalation vulnerability – to gain administrative access to the affected system.
Another VPN bug, an authentication bypass vulnerability, could allow an attacker to access the internal network via SSL VPN.
The last and perhaps most serious bug affects ASA’s Session Initiation Protocol (SIP). Dug up by researchers from Trustwave’s SpiderLabs and Dell’s SecureWorks, the bug could allow an attacker to exhaust the system’s memory. If SIP’s inspection engine is enabled – and it is by default on systems – an attacker could send a handcrafted packets to the system, make it unstable, force it to reload and trigger a denial of service (DoS) condition.
According to a security advisory the company posted Wednesday, a series of firewalls, routers and other Cisco appliances that run ASA are affected. The full list can be found here.
Cisco makes a point to note that on the whole, ASA is not one of the products it manufactures that is affected by this week’s much-buzzed-about OpenSSL Heartbleed vulnerability.
Cisco does acknowledge however that its ASDM product – which comes bundled with ASA – may be affected by the vulnerability. The company is now reportedly in the beginning stages of evaluating its entire product line to determine Heartbleed’s potential impact.
Ultimately however, when it comes to vulnerable software, it sounds as if it’s not going to be a “is it or isn’t it?” question but a “how many?” question.
In an advisory yesterday the company claimed that “multiple” Cisco products incorporate a version of the OpenSSL package that’s affected by Heartbleed, something that could “allow an unauthenticated, remote attacker to retrieve memory in chunks of 64 kilobytes from a connected client or server.”
In a list updated today, there are apparently only 25 or so products that are not affected by Heartbleed but 11 that definitely are. Cisco is still looking into an extensive list of remaining products, 60+ in all, that may or may not be affected. It eventually plans to remediate the issues by releasing updates, along with workarounds if possible, in the near future.
The internet-wide Heartbleed bug stems from the way OpenSSL handles heartbeat extensions for TLS and was disclosed Monday but now speculation is rampant that it may have been exploited as far back as last November.