Cisco, Juniper Issue Heartbleed AlertsCompanies List Products with Vulnerabilities
Technology companies Cisco and Juniper Networks have issued alerts about which of their products are vulnerable to the Heartbleed bug.
See Also: Data Security Risk: A CISO's Perspective
Cisco, in its April 10 advisory, says OpenSSL is used in multiple Cisco products, and the vulnerability to Heartbleed could allow an unauthenticated, remote attacker to retrieve memory in chunks of 64 kb from a connected client or server.
"The vulnerability is due to a missing bounds check in the handling of the TLS heartbeat extension," Cisco says. "An attacker could exploit this vulnerability by implementing a malicious TLS or DTLS client, if trying to exploit the vulnerability on an affected server, or a malicious TLS or DTLS server, if trying to exploit the vulnerability on an affected client."
Cisco in its alert lists the products that are impacted by the Heartbleed vulnerability, including TelePresence Video Communication Server, Desktop Collaboration Experience DX650 and Unified IP Phones 9900 Series Firmware, to name a few.
Juniper Networks also acknowledges that it has several products that are affected by the OpenSSL issue.
Juniper says impacted products include Junos OS 13.3R1, Odyssey client 5.6r5 and later, Network Connect (Windows only, various versions), Junos Pulse on Android version 4.2R1 and higher, and Junos Pulse on iOS version 4.2R1 and higher, among others. The company has a complete list of vulnerable and non-vulnerable products online.
Software company Entrust says it's offering free certificate renewals and revocation to customers impacted by the Heartbleed bug.
"SSL certificates remain the industry standard for secure transactions across the Internet, playing a pivotal role in online commerce around the world, including retail shopping and banking," says David Rockvam, Entrust's senior vice president of product management and SaaS offerings. "When properly implemented, SSL remains the single most important security mechanism for ensuring end-to-end authentication and encryption."
One security warning being issued following the announcement of the Heartbleed bug was for end-users to change their passwords. But Entrust, in a statement, says doing so won't do much good until a fix to Heartbleed is in place.
Heartbleed exposes a flaw in OpenSSL, a cryptographic tool that provides communication security and privacy over the Internet for applications such as Web, e-mail, instant messaging and some virtual private networks (see: Heartbleed Bug: What You Need to Know).
"The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software," says Codenomicon, the Finland-based security vendor that discovered the bug, along with a researcher at Google Security. "This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users."
Codenomicon says Fixed OpenSSL has been released and needs to be deployed now across websites vulnerable to the bug.
David Chartier, CEO of Codenomicon, the company that uncovered the Heartbleed bug, says organizations need to properly test and vet the critical software components and applications to identify unknown weaknesses in them. "The best defense is to have secure software," he says (see: Heartbleed Discoverer Speaks Out).
Additionally, organizations can use an online tool to see if their website is vulnerable.
The Federal Financial Institutions Examination Council issued a statement April 10 stating that it expects financial institutions to incorporate patches on systems and services, applications and appliances using OpenSSL and upgrade systems as soon as possible to address the Heartbleed vulnerability (see: Heartbleed: Gov. Agencies Respond). Additionally, the Federal Deposit Insurance Corp., Internal Revenue Service, and the Canada Revenue Agency all issued statements on the OpenSSL vulnerability.
Information Security Media Group polled security experts in banking, government and healthcare, as well as the research and vendor communities, for insights on Heartbleed and how organizations should respond to it (see: How to Treat the Heartbleed Bug).