Heartbleed: Cisco, Juniper Find Bug, Apple Says No Effect

Networking giants Cisco Systems (CSCO) and Juniper Networks (JNPR) have found the Heartbleed encryption OpenSSL bug, referred to as “catastrophic” by security experts, in their networking equipment—including routers, switches and firewalls—widening an already open door for intruders to steal user names, passwords or other sensitive information from businesses and consumers.

DH Kass, Senior Contributing Blogger

April 11, 2014

4 Min Read
Heartbleed: Cisco, Juniper Find Bug, Apple Says No Effect

Networking giants Cisco Systems (CSCO) and Juniper Networks (JNPR) have found the Heartbleed encryption OpenSSL bug, referred to as “catastrophic” by security experts, in their networking equipment—including routers, switches and firewalls—widening an already open door for intruders to steal user names, passwords or other sensitive information from businesses and consumers.

The codenamed Heartbleed flaw, initially reported by security vendor Codenomicon, affects websites that use OpenSSL encryption software, or about seven in 10 sites. When activated, those sites display a small “lock” icon in the URL bar.

Right now, a huge question among security experts is, Did someone intentionally put the Heartbleed bug into OpenSSL or is this unfortunate happenstance? No one seems to know at this point, but channel partners’ customers undoubtedly will be looking their way for answers.

The flaw has IT providers, businesses and organizations scrambling to determine affected devices and the extent of their vulnerability. High-traffic providers such as Amazon (AMZN) and Yahoo (YHOO) are clear and Apple (AAPL) said its iOS and OS X operating platforms and mobile, desktop and Internet services aren’t affected.

“iOS and OS X never incorporated the vulnerable software and key web-based services were not affected,” an Apple spokesperson said.

But Cisco and Juniper are another matter, with others certain to follow. Cisco issued an advisory acknowledging that “multiple Cisco products incorporate a version of the OpenSSL package affected by a vulnerability that could allow an unauthenticated, remote attacker to retrieve memory in chunks of 64 kilobytes from a connected client or server.”

Then vendor produced a list of more than 65 products affected by the security vulnerability and supplied users with a workaround.

“Heartbleed is a serious vulnerability in OpenSSL 1.0.1 through 1.0.1f. If you have not upgraded to OpenSSL 1.0.1g or installed a version of OpenSSL with -DOPENSSL_NO_HEARTBEATS it is strongly recommended that you do so immediately,” Cisco told users.

“This vulnerability allows the attacker to read up to 64KB of heap memory from the victim without any privileged information or credentials. How is this possible? In short, OpenSSL's heartbeat processing functions use an attacker controlled length for copying data into heartbeat responses. Both DTLS and TLS heartbeat implementations are vulnerable.”

Juniper said it is fixing the problem and has issued a patch for some versions of its VPN software. But there’s no quick solution. "It doesn't sound like a flip the switch sort of thing," a company spokesperson said. "I don't know how quickly they can be resolved."

A catastrophic bug

One security expert has called Heartbleed “catastrophic.” Bruce Schneier, who’s been blogging about security issues for 10 years, wrote, “On the scale of one to 10, this is an 11.” He estimated more than 500,000 websites are vulnerable, offering up a utility for users to test their site for contamination.

“Basically, an attacker can grab 64K of memory from a server,” Schneier wrote. “The attack leaves no trace, and can be done multiple times to grab a different random 64K of memory. This means that anything in memory—SSL private keys, user keys, anything—is vulnerable. And you have to assume that it is all compromised. All of it.”

The question no longer involves patching the bug, he said, it’s what’s required afterward.

“After you patch your systems, you have to get a new public/private key pair, update your SSL certificate, and then change every password that could potentially be affected,” Schneier said. "The real question is whether or not someone deliberately inserted this bug into OpenSSL, and has had two years of unfettered access to everything. My guess is accident, but I have no proof,” he said.

Password changes

Security experts are urging users to update their passwords after a provider has updated its security software. One way around updating multiple passwords is to use password management software that keeps track of a passwords across many accounts.

CNN Money said the following websites have been patched and are ready for password changes:

  • Google, YouTube and Gmail

  • Facebook

  • Yahoo, Yahoo Mail, Tumblr, Flickr

  • OKCupid

  • Wikipedia

These websites are unaffected so no password change is needed:

  • Amazon

  • AOL and Mapquest

  • Bank of America

  • Capital One Bank

  • Charles Schwab

  • Chase Bank

  • Citibank

  • E*Trade

  • Fidelity

  • HSBC Bank

  • LinkedIn

  • Microsoft, Hotmail and Outlook

  • PayPal

  • PNC bank

  • Scottrade

  • TD Ameritrade

  • Twitter

  • U.S. Bank

  • Vanguard

  • Wells Fargo

No word yet:

  • American Express

Read more about:

AgentsMSPsVARs/SIs

About the Author

DH Kass

Senior Contributing Blogger, The VAR Guy

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like