A critical security issue in the widely-used OpenSSL software library was recently discovered and brought to light. This vulnerability has been named Heartbleed, and has generated significant attention in the media and press. Curvature would like to provide a short summary to help you better understand what Heartbleed is, if your networking and data center equipment is vulnerable, and the appropriate courses of action.
Cisco – a popular product line at Curvature – has widely used OpenSSL in their products, and has released a Security Advisory detailing the products affected by this bug. One of the most notable products on the list is IOS XE, used to run many of Cisco’s newer platforms, including the Cat4500/Sup7 and ASR 1000. Of these platforms, the nature of the Heartbleed vulnerability means that only the ASR 1000 is at significant risk, and even then, only in certain deployments. As this vulnerability is related to server functionality, affected devices acting purely as a router or switch will not be exposed to a security threat unless the IOS HTTP server is enabled and using SSL/TLS. In some features such as secure SIP gateway, however, products may be exposed to this vulnerability.
For switching platforms including Catalyst 3650, 3850, 4500/Sup7, and 4500/Sup8, there is no issue, as software updates for all of these affected product families do not require SmartNet contracts for download. For ASR 1000 or other susceptible platforms, Cisco has announced that affected customers may open a case with the PSIRT team regardless of the customer's Smartnet status. Once a case is opened, customers will receive updated versions of the software as fixes are implemented.
Curvature is here to assist you with any questions you may have about vulnerability, and address concerns.