Heartbleed and Cisco ASAs

There is a lot of worried server admins around the globe at the moment due to the Heartbleed bug vulnerability in OpenSSL (CVE-2014-0160).

The heartbleed bug allows 64k dumps of an affected systems memory, so with enough 64k dumps there is the potential to grab usernames, passwords etc that would normally be protected through SSL/TLS.

You can read about the bug over on heartbleed.com.

Cisco ASAs incorporate a number of open-source programs, and OpenSSL is one of them.

Heartbleed only affects OpenSSL version 1.0.1 through to 1.0.1f. Cisco ASAs (9.0) are running 0.9.8f or 0.9.8i which are not affected.

For the list of open-source software incorporated into ASAs Cisco have published a list here for 9.0.
You can also test your servers here (but it does seem to be running a bit slow – probably due to all the worried sysadmins testing their exposure).

For other versions of ASAs there are lists of the open-source software used for 8.4, and for 8.1.

Although the ASA is not directly affected, externally facing servers that pass traffic through the ASA should be checked.