Cisco finds 13 products (so far) vulnerable to Heartbleed—including phones

Cisco has issued a security bulletin for customers about the Heartbleed bug in the OpenSSL cryptography code, and it’s not about Web servers. So far, the company has unearthed 11 products and 2 services susceptible to attack through the vulnerability, which can be used to retrieve random bits of content from an attacked device’s memory. Cisco’s IOS XE operating system for network hardware is one of the higher-profile products on the company's list.

Cisco has already patched the two services—Cisco’s Registered Envelope Service (CRES) and Webex Messenger Service—that were deemed vulnerable. Most of the remaining products on Cisco's list are connected to the company’s collaboration products, such as its UCS unified messaging platform. They also include IP telephones, communications servers, and messaging systems:

  • Cisco AnyConnect Secure Mobility Client for iOS
  • Cisco Desktop Collaboration Experience DX650
  • Cisco Unified 7800 series IP Phones
  • Cisco Unified 8961 IP Phone
  • Cisco Unified 9951 IP Phone
  • Cisco Unified 9971 IP Phone
  • Cisco TelePresence Video Communication Server (VCS)
  • Cisco IOS XE
  • Cisco UCS B-Series (Blade) Servers
  • Cisco UCS C-Series (Stand alone Rack) Servers
  • Cisco Unified Communication Manager (UCM) 10.0
  • Cisco Registered Envelope Service (CRES)
  • Cisco Webex Messenger Service

The list isn’t yet complete—the company is still investigating whether over 60 additional products, including other versions of the IOS operating system and other network hardware, are vulnerable.

Read on Ars Technica | Comments