Many products use OpenSSL but not all of them are affected. Some
products use OpenSSL only for its implementation of various cryptographic
functions and are not affected by this vulnerability.
In order to perform a Man-in-The-Middle (MiTM) attack, the attacker
must insert themselves in the communication channel between two parties. They
will then mimic the intended recipient for both parties. In practical terms,
this usually means that the attacker must terminate each session on the host
they control and then initiate a new session to the intended recipient.
There are several ways an attacker can perform MiTM attacks, including
spoofing DHCP information and sending gratuitous ARPs to the switch. The IP
Source Guard and Dynamic ARP Inspection features can be used to block that
It may be possible to execute MiTM attacks in wireless networks that
use the Extensible Authentication Protocol (EAP). Cisco recommends the use of
the Protected EAP (PEAP) protocol to block this particular attack
Another possible vector can be DNS poisoning. This attack vector can be
mitigated by using the BIND v9.x DNS software from
The following products are affected by this vulnerability:
Cisco ASA 5500 and Cisco PIX running 7.x
Starting from the release 7.0 Cisco PIX and ASA platforms share the
same software. Associated DDTS for both platforms is CSCsc48330.
All Cisco ASA software releases up to 126.96.36.199 are affected. Affected
software releases for Cisco PIX are from 7.0.1 to 188.8.131.52 only. The first fixed
software for both platforms will be interim release 184.108.40.206. It will be
available on 2005-Dec-02.
CiscoWorks Common Services (CWCS) version 3.0 and CiscoWorks
Common Services (CWCS) version 2.2
Associated DDTS is CSCsc27533. Point patch for CWCS 2.2 customers
should be available by 2005-Dec-07. For CWCS 3.0 customers, the point patch
will be available by 2005-Dec-16. This fix will also be integrated in to
forthcoming CWCS 3.0.3 release, which is expected to be available for customers
during January 2006.
Cisco Mainframe Channel Connection (CMCC) - PA-4C-E, PA-1C-E,
PA-1C-P, CX-CIP2 tn3270 server
Associated DDTS is CSCej54402. Software releases up to version 28-22
are affected. The first fixed software release will be 28-23. It is scheduled
for release in January 2006.
Cisco Global Site Selector (4480, 4490, 4491)
Associated DDTS is CSCsc33835. Software releases up to version 1.2
are affected. The first fixed release is 1.2(2.2.0). In addition to that, a
Sustaining Release 1.1(1.7.0) has been made available and it contains the fix
for this issue.
Cisco Wireless Control System Software
Associated DDTS is CSCsc58356. Software release up to version 4.0 are
affected. The first fixed software release will be 4.0. It will be available
during February 2006.
Associated DDTS is CSCek01123. Software releases up to version 3.3
are affected. The first fixed release will be 3.3. It is expected during April
2006. SMU AA01341 is available for IOS-XR 3.2.2 which can be obtained by
contacting the TAC.
The following products are confirmed to be not affected by this
Cisco PIX Firewall releases 6.x and below
Associated DDTS is CSCsc36311. While PIX Firewalls running software
version 6.x and below are not affected, this DDTS was opened to make the
changes recommended by the OpenSSL team and to prevent the possibility that PIX
6.x becomes vulnerable to this issue in the future.
Cisco Catalyst 6500 Series Firewall Services
Associated DDTS is CSCsc34709. While Cisco Catalyst 6500 Series FWSM
is not affected this DDTS was opened to prevent possibility that it becomes
vulnerable to this issue in the future. The first software release with this
fix will be 2.3.
Cisco Content Service Switch (CSS) family
Associated DDTS is CSCej62856. While Cisco CSS is not affected this
DDTS was opened to prevent possibility that Cisco CSS becomes vulnerable to
this issue in the future.
Cisco Call Manager releases 4.x
Transport Layer Security (TLS), the component that uses OpenSSL, was
first introduced in the software release 4.0. Releases prior 4.0 are also not
Cisco SIP Proxy Server
Cisco ONS15xxx family
Cisco Secure Policy Manager
Cisco Intrusion Detection System family of
Cisco Intrusion Prevention System family of
IP Mobility Client
Cisco Security Agent
Cisco MDS 9000 Series Multilayer SAN
Cisco CTI Object Server (CTI
Other products are being investigated.