Heartbleed Bug hits at heart of many Cisco, Juniper products

The Heartbleed Bug, a flaw in OpenSSL that would let attackers eavesdrop on Web, e-mail and some VPN communications, is a vulnerability that can be found not just in servers using it but also in network gear from Cisco and Juniper Networks. Both vendors say there's still a lot they are investigating about how Heartbleed impacts their products, and to expect updated advisories on a rolling basis.

Juniper detailed a long list in two advisories, one here and the other here. Cisco acted in similar fashion with its advisory.

"Expect a product by product advisory about vulnerabilities," says Cisco spokesman Nigel Glennie, explaining that Cisco engineers are evaluating which Cisco products use the flawed versions of OpenSSL that may need a patch though not all necessarily will. That's because Cisco believes it's a specific feature in OpenSSL that is at the heart of the Heartbleed vulnerability and that it's not always turned on in products.

+More on Network World: Who's to blame for catastrophic' Heartbleed Bug? | Cisco advisory on impact to products of Heartbleed Bug | Juniper advisories on Heartbleed Bug +

So far, Cisco has carved out a list of about a dozen products listed as confirmed "vulnerable" to exploits based on the Heartbleed Bug, plus another list of over 60 products considered "affected" because of OpenSSL but still being investigated. About two dozen products have been confirmed to be "not vulnerable," as well as the hosted Cisco service called Cisco Meraki Dashboard. Cisco also says its Webex service was vulnerable to the Heartbleed Bug but has been fixed.

This long list made by Cisco is subject to change and updates and at any moment, no specific software security updates have been made available, though could change at any time. Although the open-source OpenSSL group has issued software updates to patch the Heartbleed flaw, Cisco notes the appropriate process for Cisco products relies on Cisco evaluation and patch updates directly from Cisco.

The Heartbleed Bug is a vulnerability that appears to have existed in OpenSSL for about two years due to a simple coding mistake recently discovered by Google and Codenomicon security researchers and disclosed on Monday.

Cisco found out about the Heartbleed Bug at the same time as everyone else did when the OpenSSL site went public with the information, Glennie notes. Heartbleed is resulting in a staggering amount of ongoing work by Cisco engineers to determine its impact on Cisco gear.

Some security experts, including cryptography expert Bruce Schneier, are describing the Heartbleed Bug as a catastrophic' flaw because the vulnerable version of OpenSSL can be exploited by savvy attackers to eavesdrop on passwords or steal encryption certificates and keys. Cisco, though, says right now it's giving Heartbleed a middle-range score on its severity rating scale in terms of Cisco products, noting that might rise in some cases based on specific ways any vulnerable versions of OpenSSL are used in Cisco products.

The main Cisco products now clearly evaluated as "vulnerable" are the Cisco AnyConnect Secure Mobility Client for iOS, Cisco IOS XE, the Cisco UCS B-Series (Blade) Servers, Cisco UCS C-Series (Standalone Rack Servers), Cisco Unified Communication Manager 10.0, Cisco Desktop Collaboration Experience DX650, Cisco TelePresence Video Communication Server, and three versions of Cisco IP phones.

But some Cisco IP phones have already been determined to be not vulnerable. Many other Cisco products are also not vulnerable, including Cisco Wireless LAN Controller, and the Cisco Web Security Appliance, the Cisco Content Management Appliance, Cisco e-mail security appliance.

Still under investigation is Cisco IOS, Cisco Identity Service Engine, and Cisco Secure Access Control Server, Cisco Cloud Web Security, and Cisco Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module, plus dozens  of others. Cisco will be continuously updating these lists based on known determinations of vulnerability, with any fixes needed for Heartbleed suggested in the future.

Juniper didn't provide a spokesperson to discuss Heartbleed, but issued a statement saying, "The Juniper Networks Security Incident Response Team (SIRT) is aware of the OpenSSL vulnerability impacting the industry and is working round the clock on fixes to address potential risks to some Juniper products."

Juniper notes it has published an advisory, which lists several vulnerable products, including those based on  Junos OS 13.3R1, and  Odyssey client 5.6r5 and later. Also vulnerable to Heartbleed Bug issues are the Juniper SSL VPN (IVEOS) 7.4r1 and later, and SSL VPN (IVEOS) 8.0r1 and later. Some products are listed as "fixed."

Products listed as "not vulnerable" include Junos OS 13.2 and earlier, non-FIPS version of Network Connect clients not vulnerable, and SSL VPN (IVEOS) 7.3, 7.2 and 7.1. Several other network and security products are also listed as "not vulnerable." Other Juniper products listed as under investigation, including Stand Alone IDP, ADC and WL-Series (SmartPass).

In addition to this wide range of network gear impacted by the Heartbleed Bug, some versions of the Android operating system also appear to be subject to Heartbleed, according to mobile security vendor Lookout Security.

Marc Rogers, principal security researcher at Lookout, says so far the security firm has determined that the vulnerable versions of Google Android include only versions 4.1.1 and 4.2.2. The current version of Android 4.5 is not impacted, according to Lookout, likely because the feature causing all the Heartbleed commotion in OpenSSL was not enabled. Lookout has created a tool to let mobile-device users test for vulnerability to Heartbleed.

An Android fix for Heartbleed is something Lookout says it can't provide but should come from the Android open-source project, which manufacturers of Android-based phones would be expected to deliver. It's hard to come up with a definitive list of impacted Android mobile devices because Android itself has become so fragmented, Rogers concluded.

Ellen Messmer is senior editor at Network World, an IDG website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail: emessmer@nww.com

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.

Tags securityEthernet SwitchrouterWide Area NetworkLAN & WAN

More about ADCCiscoGoogleIDGJuniperJuniperLANWebexWeb Security

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ellen Messmer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts