The Heartbleed security flaw in OpenSSL encryption that affected popular web and ecommerce sites has also infiltrated many of the Cisco and Juniper routers, switches and firewalls running those sites and the internet at large.
In a Cisco(s csco) security alert updated Thursday, the company said many of its products use a version of OpenSSL affected by a vulnerability. Cisco acknowledged that this “could allow an unauthenticated, remote attacker to retrieve memory in chunks of 64 kilobytes from a connected client or server.” Check out the Cisco update for a list of products that are or could be vulnerable. Juniper(s jnpr) published a brief “high alert” on its support page, but customers have to log in for more information.
Infected networking gear can be a tricky fix since many people or small businesses don’t necessarily update that gear over time. As security expert Bruce Schneier told Marketwatch: “The upgrade path is going to involve trash can, a credit card, and a trip to Best Buy.”
In related news, application performance and security specialist Cloudflare posted an interesting blog on how serious Heartbleed can be if it can harvest 64 kilobytes of server memory and issued a challenge for geeks to do so. If an attacker is able to exploit standard buffer over-read bugs to get that information it would be a “nightmare scenario … requiring virtually every service to reissue and revoke its SSL certificates. Note that simply reissuing certificates is not enough, you must revoke them as well,” Cloudflare said.
OpenSSL is used in an estimated two-thirds of all active sites. Researchers from Google(s goog) and security firm Codenomicon found the flaw, and Codenomicon came up with the now ubiquitous Heartbleed logo.