Heartbleed: Cisco, Juniper Find Bug, Apple Says No Effect
Networking giants Cisco Systems (CSCO) and Juniper Networks (JNPR) have found the Heartbleed encryption OpenSSL bug, referred to as “catastrophic” by security experts, in their networking equipment—including routers, switches and firewalls—widening an already open door for intruders to steal user names, passwords or other sensitive information from businesses and consumers.
Networking giants Cisco Systems (CSCO) and Juniper Networks (JNPR) have found the Heartbleed encryption OpenSSL bug, referred to as “catastrophic” by security experts, in their networking equipment—including routers, switches and firewalls—widening an already open door for intruders to steal user names, passwords or other sensitive information from businesses and consumers.
The codenamed Heartbleed flaw, initially reported by security vendor Codenomicon, affects websites that use OpenSSL encryption software, or about seven in 10 sites. When activated, those sites display a small “lock” icon in the URL bar.
Right now, a huge question among security experts is, Did someone intentionally put the Heartbleed bug into OpenSSL or is this unfortunate happenstance? No one seems to know at this point, but channel partners’ customers undoubtedly will be looking their way for answers.
The flaw has IT providers, businesses and organizations scrambling to determine affected devices and the extent of their vulnerability. High-traffic providers such as Amazon (AMZN) and Yahoo (YHOO) are clear and Apple (AAPL) said its iOS and OS X operating platforms and mobile, desktop and Internet services aren’t affected.
“iOS and OS X never incorporated the vulnerable software and key web-based services were not affected,” an Apple spokesperson said.
But Cisco and Juniper are another matter, with others certain to follow. Cisco issued an advisory acknowledging that “multiple Cisco products incorporate a version of the OpenSSL package affected by a vulnerability that could allow an unauthenticated, remote attacker to retrieve memory in chunks of 64 kilobytes from a connected client or server.”
Then vendor produced a list of more than 65 products affected by the security vulnerability and supplied users with a workaround.
“Heartbleed is a serious vulnerability in OpenSSL 1.0.1 through 1.0.1f. If you have not upgraded to OpenSSL 1.0.1g or installed a version of OpenSSL with -DOPENSSL_NO_HEARTBEATS it is strongly recommended that you do so immediately,” Cisco told users.
“This vulnerability allows the attacker to read up to 64KB of heap memory from the victim without any privileged information or credentials. How is this possible? In short, OpenSSL's heartbeat processing functions use an attacker controlled length for copying data into heartbeat responses. Both DTLS and TLS heartbeat implementations are vulnerable.”
Juniper said it is fixing the problem and has issued a patch for some versions of its VPN software. But there’s no quick solution. "It doesn't sound like a flip the switch sort of thing," a company spokesperson said. "I don't know how quickly they can be resolved."
A catastrophic bug
One security expert has called Heartbleed “catastrophic.” Bruce Schneier, who’s been blogging about security issues for 10 years, wrote, “On the scale of one to 10, this is an 11.” He estimated more than 500,000 websites are vulnerable, offering up a utility for users to test their site for contamination.
“Basically, an attacker can grab 64K of memory from a server,” Schneier wrote. “The attack leaves no trace, and can be done multiple times to grab a different random 64K of memory. This means that anything in memory—SSL private keys, user keys, anything—is vulnerable. And you have to assume that it is all compromised. All of it.”
The question no longer involves patching the bug, he said, it’s what’s required afterward.
“After you patch your systems, you have to get a new public/private key pair, update your SSL certificate, and then change every password that could potentially be affected,” Schneier said. "The real question is whether or not someone deliberately inserted this bug into OpenSSL, and has had two years of unfettered access to everything. My guess is accident, but I have no proof,” he said.
Password changes
Security experts are urging users to update their passwords after a provider has updated its security software. One way around updating multiple passwords is to use password management software that keeps track of a passwords across many accounts.
CNN Money said the following websites have been patched and are ready for password changes:
Google, YouTube and Gmail
Facebook
Yahoo, Yahoo Mail, Tumblr, Flickr
OKCupid
Wikipedia
These websites are unaffected so no password change is needed:
Amazon
AOL and Mapquest
Bank of America
Capital One Bank
Charles Schwab
Chase Bank
Citibank
E*Trade
Fidelity
HSBC Bank
LinkedIn
Microsoft, Hotmail and Outlook
PayPal
PNC bank
Scottrade
TD Ameritrade
Twitter
U.S. Bank
Vanguard
Wells Fargo
No word yet:
American Express
About the Author
You May Also Like