OpenSSLのHeartBleed脆弱性のシスコ機器対応状況(CVE-2014-0160)

Network Security

IT業界に吹き荒れる春の嵐のような、OpenSSLの脆弱性HeartBleed。

簡単に言うと、SSLで通信している相手のメモリを遡って傍受することが出来てしまうため、
シークレットキーなどの情報を抜き取られてしまう可能性がある。
OpenSSL 1.0.1 (~1.0.1f)系列の利用がこの脆弱性にあたっており、
対応には2014/04/07にリリースされたOpenSSL 1.0.1gにアップデートするしかない。
各種サーバやサービス等の対応状況はpiyokangoさんのまとめ等を参照のこと。
OpenSSLの脆弱性(CVE-2014-0160)関連の情報をまとめてみた - piyolog

さて、Cisco製のネットワーク機器での対応状況は、CiscoのSecurity Advisoryに記載があり、随時アップデートされている。
OpenSSL Heartbeat Extension Vulnerability in Multiple Cisco Products

自分の管理しているシスコ機器が該当しているかどうかは、上記Security Advisoryの
「Affected Products」-> 「Vulnerable Products」を確認する。

※「Affected Products」を開くと機器の一覧が出てくるが、
これらは「The following Cisco products are currently under investigation」とのことで、
つまり「現在調査中の機器一覧」であるため、まだ脆弱性に該当しているかどうかは判明していない。


ひとまず、シスコのIOS, IOS XR, CatOSはすべて影響対象外とのことで、
稼働中の多くのルータ・スイッチには影響が無く一安心。
ただしIOS XEは、バージョン3.11S以降(15.4(2)S)が該当しており、Bug ID「CSCuo19730」の対応状況を追いかける必要がある。


なおこのSecurity Advisoryは日々更新されているので最新情報は本家のURLを確認して欲しいのだが、
2014年4月14日11時(JST)時点での、HeartBleed脆弱性への該当製品は以下の通り。

                          • -

HeartBleed脆弱性の影響対象のCisco機器(2014/4/14 11:00JST時点)

                          • -

iPhone用のAnyConnectは脆弱性の影響対象とされているが、
App Storeに掲載されているリリース3.0.09353で既に改修済みの模様。

Cisco AnyConnect Secure Mobility Client for iOS [CSCuo17488]
Cisco Desktop Collaboration Experience DX650
Cisco Unified 7800 series IP Phones
Cisco Unified 8961 IP Phone
Cisco Unified 9951 IP Phone
Cisco Unified 9971 IP Phone
Cisco IOS XE [CSCuo19730]
Cisco Unified Communications Manager (UCM) 10.0
Cisco Universal Small Cell 5000 Series running V3.4.2.x software
Cisco Universal Small Cell 7000 Series running V3.4.2.x software
Small Cell factory recovery root filesystem V2.99.4 or later
Cisco MS200X Ethernet Access Switch
Cisco Mobility Service Engine (MSE)
Cisco TelePresence Video Communication Server (VCS) [CSCuo16472]
Cisco TelePresence Conductor
Cisco TelePresence Supervisor MSE 8050
Cisco TelePresence Server 8710, 7010
Cisco TelePresence Server on Multiparty Media 310, 320
Cisco TelePresence Server on Virtual Machine
Cisco TelePresence ISDN Gateway 8321 and 3201 Series
Cisco TelePresence Serial Gateway Series
Cisco TelePresence IP Gateway Series
Cisco WebEx Meetings Server versions 2.x [CSCuo17528]
Cisco Security Manager [CSCuo19265]
FireAMP Private Cloud virtual appliance

                          • -

HeartBleed脆弱性の影響対象だったが既に対処がされたCiscoのサービス(2014/4/14 11:00JST時点)

                          • -

Cisco Registered Envelope Service (CRES)
Cisco Webex Messenger Service
Cisco USC Invicta Series Autosupport Portal

                          • -

HeartBleed脆弱性の影響を受けないCisco機器(2014/4/14 11:00JST時点)

                          • -

Cisco IOS
Cisco IOS XR
Cisco Catalyst Operating System (CatOS)
Cisco MDS Switches
Cisco Nexus 3000 Series Switches
Cisco Nexus 5000 Series Switches
Cisco Nexus 6000 Series Switches
Cisco Nexus 7000 Series Switches
Cisco ASR 5000 Series
Cisco Adaptive Security Appliance (ASA) Software
Cisco ACE Application Control Engine Module (ACE10, ACE20, ACE30)
Cisco ACE Application Control Engine Appliance
Cisco AnyConnect Secure Mobility Client for desktop platforms
Cisco AnyConnect Secure Mobility Client for Android
Cisco CSS 11500 Series Content Services Switches
Cisco Unified 7900 series IP Phones
Cisco Unified 6900 series IP Phones
Cisco Unified 3900 series IP Phones
Cisco Unified 8941 IP Phone
Cisco Unified 8945 IP Phone
Cisco Unified IP Conference Phone 8831
Cisco IP Communicator
Cisco Unified Communications Manager (UCM) 9.1(2) and earlier
Cisco Unified Communications Domain Manager
Cisco Unified Business Attendant Console
Cisco Unified Department Attendant Console
Cisco Unified Enterprise Attendant Console
Cisco Identity Service Engine (ISE)
Cisco Secure Access Control Server (ACS)
Cisco Wireless Lan Controller (WLC)
Cisco Wireless Control System (WCS)
Cisco Web Security Appliance (WSA)
Cisco Content Security Management Appliance (SMA)
Cisco Email Security Appliance (ESA)
Cisco IronPort Encryption Appliance (IEA)
Cisco UCS Central
Cisco UCS Fabric Interconnects
Cisco UCS B-Series (Blade) Servers
Cisco UCS C-Series (Stand alone Rack) Servers
Cisco RV315W Wireless-N VPN Router
Cisco RV215W Wireless-N VPN Router
Cisco RV220W Wireless-N VPN Router
Cisco RV180W Wireless-N VPN Router
Cisco RV120W Wireless-N VPN Router
Cisco RV110W Wireless-N VPN Router
Cisco CVR100W Wireless-N VPN Router
Cisco RV325 VPN Router
Cisco RV320 VPN Router
Cisco RV180 VPN Router
Cisco RV082 VPN Router
Cisco RV042 VPN Router
Cisco RV016 VPN Router
Cisco 200 Series Smart Switches
Cisco 300 Series Managed Switches
Cisco 500 Series Stackable Managed Switches
Cisco ESW2 Series Advanced Switches
Cisco WAP121 Wireless-N Access Point
Cisco WAP321 Wireless Access Point
Cisco WAP551/561 Wireless-N Access Point
Cisco WAP4410N Wireless-N Access Point
Cisco Meraki Cloud Managed Indoor Access Points
Cisco Meraki Cloud-Managed Outdoor Access Points
Cisco Meraki MX Security Appliances
Cisco Meraki MS Access Switches
Cisco WebEx Meetings Server versions 1.x
Cisco WebEx Social
Cisco Application and Content Networking System (ACNS) Software
Cisco Wide Area Application Services (WAAS) Software
Cisco ACE Global Site Selector Appliances (GSS)
Cisco Prime Network Analysis Module (NAM)
Cisco NetFlow Generation 3000 Series Appliances
Cisco Prime Infrastructure
Cisco Content Switching Module with SSL (CSM-S)
Cisco SSL Services Module (SSLM)
Cisco Intelligent Automation for Cloud
Cisco D9854/D9854-I Advanced Program Receiver
Cisco D9824 Advanced Multi Decryption Receiver
Cisco D9858 Advanced Receiver Transcoder
Cisco D9859 Advanced Receiver Transcoder
Cisco Application Networking Manager (ANM)
Cisco DPC/EPC2100 Cable Modem
Cisco DPC/EPC2505 Cable Modem
Cisco DPC/EPC2607 Cable Modem
Cisco DPC3000/EPC3000 Cable Modem
Cisco DPC3008/EPC3008 Cable Modem
Cisco DPC/EPC3010 Cable Modem
Cisco DPQ/EPQ2160 DOCSIS 2.0 Cable Modem
Cisco DPX100/120 Cable Modem
Cisco DPX110 Cable Modem
Cisco DPX130 Cable Modem
Cisco DPX/EPX2100 Cable Modem
Cisco Model DPC2425R2 and EPC2425R2 Wireless Residential Gateway with Digital Voice
Cisco Model DPC2420R2 and EPC2420R2 Wireless Residential Gateway withDigital Voice
Cisco DPC/EPC 2202 VoIP Cable Modem
Cisco DPC/EPC 2203 VoIP Cable Modem
Cisco DPC/EPC 3208 VoIP Cable Modem
Cisco DPC/EPC3212 VoIP Cable Modem
Cisco DPQ3212 VoIP Cable Modem
Cisco DPQ2202 VoIP Cable Modem
Cisco DPX2213 VoIP Cable Modem
Cisco DPX213 VoIP Cable Modem
Cisco DPX/EPX 2203 VoIP Cable Modem
Cisco DPX/EPX 2203C VoIP Cable Modem
Cisco DPC2320 and EPC2320 Wireless Residential Gateway
Cisco DPC2325R2 and EPC2325R2 Wireless Residential Gateway
Cisco DPC3827 and EPC3827 Wireless Residential Gateway
Cisco DPC2420 and EPC2420 Wireless Residential Gateway with Embedded DigitalVoice Adapter
Cisco DPC3825 and EPC3825 8x4 DOCSIS 3.0 Wireless Residential Gateway
Cisco DPC3828 and EPC3828 DOCSIS/EuroDOCSIS 3.0 8x4 Wireless Residential Gateway
Cisco DPC3925 and EPC3925 8x4 DOCSIS 3.0 Wireless Residential Gateway with EDVA
Cisco DPC3928 and EPC3928 DOCSIS/EuroDOCSIS 3.0 8x4 Wireless Residential Gateway with Embedded Digital Voice Adapter
Cisco DPC3939 DOCSIS 3.0 16x4 Wireless Residential Voice Gateway
Cisco DPC/EPC2325 Residential Gateway with Wireless Access Point
Cisco DPC/EPC2425 Wireless Residential Gateway with Embedded Digital VoiceAdapter
Cisco DPC/EPC2434 VoIP Wireless Home Gateway
Cisco DPQ2425 Wireless Residential Gateway with Digital Voice Adapter
Cisco DPQ3925 8x4 DOCSIS 3.0 Wireless Residential Gateway with EDVA
Cisco DPR362 Cable Modem and Router
Cisco DPR/EPR2320, DPR2325 Cable Modem with Wireless Access Point

                          • -

HeartBleed脆弱性の影響を受けないCiscoのサービス(2014/4/14 11:00JST時点)

                          • -

Cisco Meraki Dashboard
Cisco WebEx Meeting Center
Cisco WebEx Support Center
Cisco WebEx Training Center
Cisco WebEx Event Center
Cisco Universal Small Cell CloudBase
Cisco Cloud Web Security

上記以外の製品はまだ調査中とのこと。
随時、本家Ciscoのサイトを確認しよう。
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-heartbleed