Cisco Systems continues to update the list of its products that may be vulnerable to the Heartbleed exploit, with the number standing at more than 80 as of April 14.
As news of the Heartbleed encryption flaw hit earlier this month, most of the discussion was focused on servers that might have been compromised. However, Cisco and Juniper Networks on April 9 announced that some of their networking gear were vulnerable to the threat, and promised to keep their customers up to date on the dangers and what the vendors were doing to respond.
"It's recently been said that there is only one thing being discussed by IT security people right now—the OpenSSL heartbeat extension vulnerability (aka Heartbleed)," Nigel Glennie, senior manager of global corporate communications for Cisco, said in an April 11 post on the company blog. "As the guy responding to related media questions for Cisco, that certainly rings true. … We know that communicating quickly and openly about security vulnerabilities can result in a little extra public attention for Cisco. As a trustworthy vendor, this is something we're happy to accept."
According to the Heartbleed.com site, the bug exploits a vulnerability in certain versions of the OpenSSL software and enables "anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop communications, steal data directly from the services and users and to impersonate services and users."
An exploit could reveal up to 64 kilobytes of memory in the affected server.
The vulnerabilities in the networking and communications gear at Cisco and Juniper mean that someone using Heartbleed could access the memory banks of users' IP phones, computers, WebEx sessions and mobile devices.
"An attacker can use it to obtain the encryption keys used by a web site, allowing an attacker or spy agency to read all communications," Tatu Ylönen, inventor of SSH encryption and CEO of the SSH Communications Security, said in an email to eWEEK's Wayne Rash. "It can practically be used to obtain the server private key used for securing the server and communications to it, essentially breaching the certificates used for protecting the web site, which in turn allows decrypting past sessions as well as performing man-in-the-middle attacks (including banking fraud and identity theft) in most cases."
Cisco in an advisory has released a comprehensive list of products that are vulnerable to Heartbleed, those that aren't and some that may be. The networking giant has confirmed that more than two dozen—including IP phones, small cell networking products, TelePresence video conferencing systems and WebEx cloud meeting technologies—are vulnerable, while another three that were vulnerable have been updated to protect against the bug. Company officials are still investigating more than 80 other systems, from network switches and routers to firewalls, digital media players, wireless LAN products, communications software, video conferencing equipment and encoders.
"The impact of this vulnerability on Cisco products varies depending on the affected product," the company said in the advisory, which is regularly being updated. "Successful exploitation of the vulnerability may cause portions of memory from a client or server to be disclosed. Note that the disclosed portions of memory could potentially include sensitive information such as private keys."
In their own advisory, Juniper officials said the company had nine products impacted by the Heartbleed bug, including some versions of its virtual private network products, Junos operating system and Junos Pulse security software. The company is continuing to release patches to update the products and protect them against Heartbleed.
The company also listed the products not vulnerable to the exploit.
"At Juniper, several product teams worked round the clock to ensure that customers get updates on highest priority," Ajay Bharadwaj, product manager for mobile security at Juniper, wrote in an April 9 post on the company blog.