News

Cisco and Juniper products hit by Heartbleed bug

Simon Quicke
Ezine

This article can also be found in the Premium Editorial Download "MicroScope: MicroScope: May 2014."

Download it now to read this article plus other related content.

The Heartbleed bug continues to send ripples out across the industry with a host of vendors reporting that the malicious OpenSSL vulnerability has caught them on the hop and left a number of products exposed.

The latest names that have admitted they have to work quickly to patch the problem include Cisco and Juniper as they look to close off holes in routers and switches as they follow in the footsteps of several web retailers that have taken steps to remove their vulnerability.

Cisco updated customers on the situation reporting that it will be offering free software updates to help fix the problem that had an impact on "multiple products" that incorporate a version of the OpenSSL package that has been hit by the heartbleed bug.

"Multiple Cisco products incorporate a version of the OpenSSL package affected by a vulnerability that could allow an unauthenticated, remote attacker to retrieve memory in chunks of 64 kilobytes from a connected client or server," stated the vendor.

"The vulnerability is due to a missing bounds check in the handling of the Transport Layer Security (TLS) heartbeat extension. An attacker could exploit this vulnerability by implementing a malicious TLS or Datagram Transport Layer Security (DTLS) client, if trying to exploit the vulnerability on an affected server, or a malicious TLS or DTLS server, if trying to exploit the vulnerability on an affected client. An exploit could send a specially crafted TLS or DTLS heartbeat packet to the connected client or server," the vendor added.

As a result of the bug a hacker could gain access to some of the memory, which could include private keys and passwords. That has led some firms to urge users to change their passwords.

Juniper also updated customers providing a list of the products that were vulnerable to the bug and indicated that it was already reacting to the problem and was, "working around the clock to provide fixed versions of code for our affected products".

There have also been some calls for calm following the initial panic earlier this week when users were being told to change their passwords immediately to ensure theh were protected.

"The Heartbleed bug exposes websites that use a popular encryption technology to malicious attacks, and some passwords — and personal data — may well have been compromised," said James Eaglesfield, service improvement and governance manager at the University of Derby.

“It’s tempting to freak out and change all your passwords immediately, but there’s no point in doing so before the sites you use are fixed, or else someone could just steal your new password," he added.


Join the conversation Comment

Share
Comments

    Results

    Contribute to the conversation

    All fields are required. Comments will appear at the bottom of the article.