The Heartbleed Bug, a flaw in OpenSSL that would let attackers eavesdrop on Web, e-mail and some VPN communications, is a vulnerability that can be found not just in servers using it but also in network gear from Cisco and Juniper Networks. Both vendors say there's still a lot they are investigating about how Heartbleed impacts their products, and to expect updated advisories on a rolling basis.
“Expect a product by product advisory about vulnerabilities,” says Cisco spokesman Nigel Glennie, explaining that Cisco engineers are evaluating which Cisco products use the flawed versions of OpenSSL that may need a patch though not all necessarily will. That’s because Cisco believes it’s a specific feature in OpenSSL that is at the heart of the Heartbleed vulnerability and that it’s not always turned on in products.
So far, Cisco has carved out a list of about a dozen products listed as confirmed “vulnerable” to exploits based on the Heartbleed Bug, plus another list of over 60 products considered “affected” because of OpenSSL but still being investigated. About two dozen products have been confirmed to be “not vulnerable,” as well as the hosted Cisco service called Cisco Meraki Dashboard. Cisco also says its Webex service was vulnerable to the Heartbleed Bug but has been fixed.
This long list made by Cisco is subject to change and updates and at any moment, no specific software security updates have been made available, though could change at any time. Although the open-source OpenSSL group has issued software updates to patch the Heartbleed flaw, Cisco notes the appropriate process for Cisco products relies on Cisco evaluation and patch updates directly from Cisco.
The Heartbleed Bug is a vulnerability that appears to have existed in OpenSSL for about two years due to a simple coding mistake recently discovered by Google and Codenomicon security researchers and disclosed on Monday.
Cisco found out about the Heartbleed Bug at the same time as everyone else did when the OpenSSL site went public with the information, Glennie notes. Heartbleed is resulting in a staggering amount of ongoing work by Cisco engineers to determine its impact on Cisco gear.
Some security experts, including cryptography expert Bruce Schneier, are describing the Heartbleed Bug as a ‘catastrophic’ flaw because the vulnerable version of OpenSSL can be exploited by savvy attackers to eavesdrop on passwords or steal encryption certificates and keys. Cisco, though, says right now it’s giving Heartbleed a middle-range score on its severity rating scale in terms of Cisco products, noting that might rise in some cases based on specific ways any vulnerable versions of OpenSSL are used in Cisco products.
The main Cisco products now clearly evaluated as “vulnerable” are the Cisco AnyConnect Secure Mobility Client for iOS, Cisco IOS XE, the Cisco UCS B-Series (Blade) Servers, Cisco UCS C-Series (Standalone Rack Servers), Cisco Unified Communication Manager 10.0, Cisco Desktop Collaboration Experience DX650, Cisco TelePresence Video Communication Server, and three versions of Cisco IP phones.
But some Cisco IP phones have already been determined to be not vulnerable. Many other Cisco products are also not vulnerable, including Cisco Wireless LAN Controller, and the Cisco Web Security Appliance, the Cisco Content Management Appliance, Cisco e-mail security appliance.
Still under investigation is Cisco IOS, Cisco Identity Service Engine, and Cisco Secure Access Control Server, Cisco Cloud Web Security, and Cisco Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module, plus dozens of others. Cisco will be continuously updating these lists based on known determinations of vulnerability, with any fixes needed for Heartbleed suggested in the future.
Juniper didn’t provide a spokesperson to discuss Heartbleed, but issued a statement saying, “The Juniper Networks Security Incident Response Team (SIRT) is aware of the OpenSSL vulnerability impacting the industry and is working round the clock on fixes to address potential risks to some Juniper products.”
Juniper notes it has published an advisory, which lists several vulnerable products, including those based on Junos OS 13.3R1, and Odyssey client 5.6r5 and later. Also vulnerable to Heartbleed Bug issues are the Juniper SSL VPN (IVEOS) 7.4r1 and later, and SSL VPN (IVEOS) 8.0r1 and later. Some products are listed as “fixed.”
Products listed as “not vulnerable” include Junos OS 13.2 and earlier, non-FIPS version of Network Connect clients not vulnerable, and SSL VPN (IVEOS) 7.3, 7.2 and 7.1. Several other network and security products are also listed as “not vulnerable.” Other Juniper products listed as under investigation, including Stand Alone IDP, ADC and WL-Series (SmartPass).
In addition to this wide range of network gear impacted by the Heartbleed Bug, some versions of the Android operating system also appear to be subject to Heartbleed, according to mobile security vendor Lookout Security.
Marc Rogers, principal security researcher at Lookout, says so far the security firm has determined that the vulnerable versions of Google Android include only versions 4.1.1 and 4.2.2. The current version of Android 4.5 is not impacted, according to Lookout, likely because the feature causing all the Heartbleed commotion in OpenSSL was not enabled. Lookout has created a tool to let mobile-device users test for vulnerability to Heartbleed.
An Android fix for Heartbleed is something Lookout says it can’t provide but should come from the Android open-source project, which manufacturers of Android-based phones would be expected to deliver. It’s hard to come up with a definitive list of impacted Android mobile devices because Android itself has become so fragmented, Rogers concluded.
Ellen Messmer is senior editor at Network World, an IDG website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail: firstname.lastname@example.org