Product Specific Information

Cisco has made available additional information in the following document: https://meraki.cisco.com/blog/2014/04/openssl-and-the-heartbleed-vulnerability/

The following products leverage the Small cell factory recovery root filesystem V2.99.4 or later. The factory recovery root filesystem is not stored in flash but is downloaded from Cisco USC CloudBase and only used for the duration of the activation/recovery process. OpenSSL is called by the cURL application, which is itself called from a shell script so a malicious user would have no exposure to any Cisco proprietary code and the memory space of the cURL process would not contain any private keys:

DPH-SO16 (Cisco, formerly Ubiquisys)

FAPE-HSP-5620 (OEM)

FAPO-HSP-5900 (OEM)

FAPR-HSP-5110 (OEM)

FC1020 (Cisco, formerly Ubiquisys)

FC1021 (Cisco, formerly Ubiquisys)

FC1022 (Cisco, formerly Ubiquisys)

FC1060 (Cisco, formerly Ubiquisys)

FC1080 (Cisco, formerly Ubiquisys)

FC170U (Cisco, formerly Ubiquisys)

FC173U (Cisco, formerly Ubiquisys)

FC233U (Cisco, formerly Ubiquisys)

FC235U (Cisco, formerly Ubiquisys)

FC270U (Cisco, formerly Ubiquisys)

FEMTO-G3 (Cisco, formerly Ubiquisys)

FEMTOAP-SR1 (Cisco, formerly Ubiquisys)

FEMTOAP-SR2 (Cisco, formerly Ubiquisys)

FMA16301T (OEM)

FP16201 (OEM)

FP8101 (OEM)

FP8131T (OEM)

FPA16241T (OEM)

FPLUS2 (Cisco, formerly Ubiquisys)

G5 (Cisco, formerly Ubiquisys)

G6 (Cisco, formerly Ubiquisys)

S2000 (OEM)

SH170U (Cisco, formerly Ubiquisys)

SH173U (Cisco, formerly Ubiquisys)

USC3331 (Cisco)

USC5310 (Cisco)

USC5330 (Cisco)

USC7330 (Cisco)

USC9330 (Cisco)

ZM-000-05-0005 (Cisco, formerly Ubiquisys)

ZP-000-05EU-0004 (Cisco, formerly Ubiquisys)

ZP-000-07EU-0001 (Cisco, formerly Ubiquisys)

ZP-001-03EU-0003 (Cisco, formerly Ubiquisys)

ZP-001-03EU-0005 (Cisco, formerly Ubiquisys)

ZP-001-03EU-0006 (Cisco, formerly Ubiquisys)

ZP-005-02EU-0002 (Cisco, formerly Ubiquisys)

A malicious user cannot get the private key of the Universal Small Cell (USC) product as the private keys are held in a separate protected memory space; however, the malicious user may be able to access memory containing the Small Cell internal O&M database and configuration details.

Cisco Unified Communications Manager (UCM) version 10.0, Cisco Unity Connection (UC) version 10.0, and Cisco Unified Presence Server (CUPS) version 10.0 are affected by the OpenSSL vulnerability described in this advisory. An unauthenticated, remote attacker with the ability to open a TCP connection to an affected port may exploit the vulnerability. Successful exploitation may allow the attacker to disclose potentially sensitive information.



Cisco voice and presence devices open a number of service ports to accept connections from users, administrators, phones, and IP voice gateways. A majority of these services are secured utilizing SSL or TLS and may be leveraged by an attacker to exploit the vulnerability.

Cisco Unified 7800 Series, Cisco Unified 8961, Cisco Unified 9951, and Cisco Unified 9971 IP Phones may be exposed to the vulnerability when the secure Web Management interface is enabled. Additionally, attacks may be executed via secure SIP and secure RTP.



An unauthenticated, remote attacker with the ability to reach the Web Management interface when enabled, or that can place a direct secure SIP call to the device may trigger the vulnerability. Successful exploitation may allow the attacker to disclose potentially sensitive information.



Voice networks that have been deployed using Cisco Secure Configuration Guidelines are at a reduced risk from outside attackers. Phones that have been segmented from the common use network should restrict the attack surface to other phones and users who have direct access to the voice network.

Cisco Desktop Collaboration Experience DX650 devices may be exposed via the secure Web Management Interface when enabled. These devices may also be exploited via secure SIP, secure RTP, as well as any other application installed on the device that utilizes the system-supplied OpenSSL library.



An unauthenticated, remote attacker with the ability to reach the Web Management interface when enabled can place a direct secure SIP call to the device, or access an affected service may trigger the vulnerability. Successful exploitation may allow the attacker to disclose potentially sensitive information.



Voice networks that have been deployed using Cisco Secure Configuration Guidelines are at a reduced risk from outside attackers. Phones that have been segmented from the common use network should restrict the attack surface to other phones and users who have direct access to the voice network.

Cisco provides a comprehensive design guide for all voice network deployments. This includes suggested security feature configurations on intermediate and edge devices to prevent spoofed traffic from being passed on the voice network as well as the isolation and segregation of voice traffic from general network traffic. Security information for Cisco Collaboration Systems 10.x is available at the following link: http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/srnd/collab10/collab10/security.html

This vulnerability does not affect the versions of Cisco AnyConnect Secure Mobility Client released for devices running iOS 5 or earlier.

Cisco IOS XE Software Release First Fixed Release 2.x.x Not vulnerable 3.1.xS Not vulnerable 3.1.xSG Not vulnerable 3.2.xS Not vulnerable 3.2xSE Not vulnerable 3.2.xSG Not vulnerable 3.2.xXO Not vulnerable 3.2.xSQ Not vulnerable 3.3.xS Not vulnerable 3.3.xSE Not vulnerable 3.3xSG Not vulnerable 3.3xXO Not vulnerable 3.3xSQ Not vulnerable 3.4.xS Not vulnerable 3.4.xSG Not vulnerable 3.5.xS Not vulnerable 3.5.xE Not vulnerable 3.6.xS Not vulnerable 3.6.xE Not vulnerable 3.7.xS Not vulnerable 3.8.xS Not vulnerable 3.9.xS Not vulnerable 3.10.xS Not vulnerable 3.11.xS Vulnerable 3.12.xS Vulnerable 3.12.0aS Not vulnerable 3.11.2S Not vulnerable

The product was initially reported as vulnerable; however, upon additional review it was ascertained that no published releases are vulnerable to this issue.

A vulnerability in the Transport Layer Security (TLS)/Datagram Transport Layer Security (DTLS) heartbeat functionality in OpenSSL used in multiple Cisco products could allow an unauthenticated, remote attacker to retrieve memory in chunks of 64 kilobytes from a connected client or server.The vulnerability is due to a missing bounds check in the handling of the TLS heartbeat extension. An attacker could exploit this vulnerability by implementing a malicious TLS or DTLS client, if trying to exploit the vulnerability on an affected server, or a malicious TLS or DTLS server, if trying to exploit the vulnerability on an affected client. The attacker could then send a specially-crafted TLS or DTLS heartbeat packet to the connected client or server. An exploit could allow the attacker to disclose a limited portion of memory from a connected client or server for every heartbeat packet sent. The disclosed portions of memory could contain sensitive information that may include private keys and passwords.This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) ID CVE-2014-0160The criteria used to establish whether a Cisco product or service is vulnerable is solely whether it relies on an affected version of the OpenSSL library in order to implement a TLS/DTLS client or server. The criteria does not restrict the analysis to any specific set of protocols that the client or server may implement (eg: HTTPS, SMTP, EAP, etc.).Based on this criteria the products that are listed in this security advisory as not vulnerable are such no matter which attack vector an attacker may attempt to use to exploit Heartbleed.The Cupid attack exploits the Heartbleed bug using the EAP protocol as an attack vector to target the TLS layer in EAP-TLS. The products that are listed in this security advisory that are not vulnerable to the Heartbleed vulnerability are also unaffected by the Cupid attack.The impact of this vulnerability on Cisco products may vary depending on the affected product.Given the unique characteristics of the Heartbleed vulnerability, Cisco recommends customers to generate new public/private key pairs, obtain a new certificate for that key pair, and install the new certificate and associated key pair as appropriate on all affected deployments after installing the software updates. This is general advice appropriate for Cisco and non-Cisco devices.For Cisco products, please refer to the information provided in the Cisco bug IDs, listed in the Affected Products section of this document. Additional information and detailed instructions on how to perform those tasks are available on the Cisco installation, configuration and maintenance guides for each product. If additional clarification or advice is needed, please contact your support organization.