3 Comments

Summary:

Don’t let down your guard. While many websites have been updated against Heartbleed, a lot of the hardware running the internet is also infected.

cyber security
photo: Thinkstock

The Heartbleed security flaw in OpenSSL encryption that affected popular web and ecommerce sites has also infiltrated many of the Cisco and Juniper routers, switches and firewalls running those sites and the internet at large.

In a Cisco security alert updated Thursday, the company said many of its products use a version of OpenSSL affected by a vulnerability. Cisco acknowledged that this “could allow an unauthenticated, remote attacker to retrieve memory in chunks of 64 kilobytes from a connected client or server.” Check out the Cisco update for a list of products that are or could be vulnerable. Juniper published a brief “high alert” on its support page, but customers have to log in for more information.

Infected networking gear can be a tricky fix since many people or small businesses don’t necessarily update that gear over time. As security expert Bruce Schneier told Marketwatch: “The upgrade path is going to involve trash can, a credit card, and a trip to Best Buy.”

In related news, application performance and security specialist Cloudflare posted an interesting blog on how serious Heartbleed can be if it can harvest 64 kilobytes of server memory and issued a challenge for geeks to do so.  If an attacker is able to exploit standard buffer over-read bugs to get that information it would be a “nightmare scenario … requiring virtually every service to reissue and revoke its SSL certificates.  Note that simply reissuing certificates is not enough, you must revoke them as well,” Cloudflare said.

OpenSSL is used in an estimated two-thirds of all active sites. Researchers from Google and security firm Codenomicon found the flaw, and Codenomicon came up with the now ubiquitous Heartbleed logo.

You’re subscribed! If you like, you can update your settings

  1. Zoinks!

  2. Dude, Cisco’s alert did not cover routers.

    1. @alex you are right, despite numerous reports saying routers were on the list of affected hardware, Cisco’s own list here http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-heartbleed deems its routers to be unaffected. But people should read the list. Dozens of products including lotsof Nexus Switches, telepresence gear are listed as vulnerable and more potentially at risk.

Comments have been disabled for this post