ASA 9.2 and Heartbleed

Short after the openssl Heartbleed vurnearability was publiced Cisco announced that Cisco ASA was NOT affected by Heartbleed because it runs an older version of OpenSSL.

 

Today, 2014-04-25, Cisco updated its Feature-list of Cisco ASA software versions with the long awaited v9.2.

 

But w000t? From now on Cisco ASA runs OpenSSL v1.0.1e (which IS affected by Heartbleed)! WhatΒ΄s happening. Cisco?

 

Screenshot 2014-04-25 20.06.47

 

 

Edit. I posted this and sent the URL to one of my contacts at Cisco. Less than 2 hours later Cisco added a note to the Release Notes:

Screenshot 2014-04-26 17.05.08

 

So. Cisco did NOT add heartbleed as a new feature in ASA v9.2. My guess is that they upgraded to 1.0.1e in a beta of 9.2 and before got aware of Heartbleed just days before releasing 9.2. And instead of upgrading OpenSSL to 1.0.1g they disabled SSL heartbeat.

Β 

So what I found was probably a bug in the documentation. πŸ™‚

Β 

Β 

Posted in Uncategorized
2 comments on “ASA 9.2 and Heartbleed
  1. Oscar Virot says:

    Hi.

    1. if you look at http://www.cisco.com/c/en/us/td/docs/security/asa/asa92/release/notes/asarn92.html you will find the following.

    The version of OpenSSL on the ASA will be updated to version 1.0.1e.

    Note We disabled the heartbeat option, so the ASA is not vulnerable to the Heartbleed Bug.

    2. Its not May yet πŸ™‚

  2. Hi Oscar!

    Thanks for your comment! When I wrote this post I also noticed Cisco and less than 2 hours later the release notes have been updated with this “we disabled the heartbeat option”. Amazing how quick things can happen. πŸ™‚ the link “Feature-list” above gives you a locally stored copy of the release notes where the “disables option” is not mentioned, just as the screen shot above. πŸ™‚

    Never mind, the important thing is that the 9.2 release is not vurnerable!

    Best regards
    Jimmy

Leave a Reply

Your email address will not be published.

*

Signuppp

[mc4wp_form id="2457"]
Website Security Test