Cisco experts dish on 'Heartbleed' IP security vulnerability
The company has also issued an official, downloadable Security Advisory bulletin.
In the following Youtube video, posted April 25, IP security experts Craig Williams and Jaeson Schultz of Cisco discuss the Heartbleed online security vulnerability and developments in handling the bug since its public disclosure two weeks ago. Cisco has also issued an official, downloadable "Security Advisory" bulletin entitled, OpenSSL Heartbeat Extension Vulnerability in Multiple Cisco Products.
"Multiple Cisco products incorporate a version of the OpenSSL package affected by a vulnerability that could allow an unauthenticated, remote attacker to retrieve memory in chunks of 64 kilobytes from a connected client or server. The vulnerability is due to a missing bounds check in the handling of the Transport Layer Security (TLS) heartbeat extension," summarizes the advisory note.
The note continues, " An attacker could exploit this vulnerability by implementing a malicious TLS or Datagram Transport Layer Security (DTLS) client, if trying to exploit the vulnerability on an affected server, or a malicious TLS or DTLS server, if trying to exploit the vulnerability on an affected client. An exploit could send a specially crafted TLS or DTLS heartbeat packet to the connected client or server. An exploit could allow the attacker to disclose a limited portion of memory from a connected client or server for every heartbeat packet sent. The disclosed portions of memory could contain sensitive information that may include private keys and passwords."
Among the affected products and services which have had their exposure to the Heartbleed vulnerability confirmed are the Cisco Video Surveillance 3000/4000/6000/7000 Series IP cameras; its 4300E/4500E High-Definition IP cameras; and its PTZ IP cameras. A full -- and extensive -- list of affected and potentially affected products and services is available in the Security Advisory bulletin.