Cisco, Juniper Work to Protect Networking Gear vs. Heartbleed

By Jeffrey Burt | Posted 2014-04-14 Email Print



The encryption bug may have affected as many as 80-plus Cisco products, while the impact to Juniper's portfolio is not as broad.


Cisco Systems continues to update the list of its products that may be vulnerable to the Heartbleed exploit, with the number standing at more than 80 as of April 14. As news of the Heartbleed encryption flaw hit earlier this month, most of the discussion was focused on servers that might have been compromised. However, Cisco and Juniper Networks on April 9 announced that some of their networking gear were vulnerable to the threat, and promised to keep their customers up to date on the dangers and what the vendors were doing to respond. 'It's recently been said that there is only one thing being discussed by IT security people right now-the OpenSSL heartbeat extension vulnerability (aka Heartbleed),' Nigel Glennie, senior manager of global corporate communications for Cisco, said in an April 11 post on the company blog. 'As the guy responding to related media questions for Cisco, that certainly rings true. ... We know that communicating quickly and openly about security vulnerabilities can result in a little extra public attention for Cisco. As a trustworthy vendor, this is something we're happy to accept.' According to the Heartbleed.com site, the bug exploits a vulnerability in certain versions of the OpenSSL software and enables 'anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop communications, steal data directly from the services and users and to impersonate services and users.'


An exploit could reveal up to 64 kilobytes of memory in the affected server.


The vulnerabilities in the networking and communications gear at Cisco and Juniper mean that someone using Heartbleed could access the memory banks of users' IP phones, computers, WebEx sessions and mobile devices. 'An attacker can use it to obtain the encryption keys used by a web site, allowing an attacker or spy agency to read all communications,' Tatu Ylönen, inventor of SSH encryption and CEO of the SSH Communications Security, said in an email to eWEEK's Wayne Rash. 'It can practically be used to obtain the server private key used for securing the server and communications to it, essentially breaching the certificates used for protecting the web site, which in turn allows decrypting past sessions as well as performing man-in-the-middle attacks (including banking fraud and identity theft) in most cases.' Cisco in an advisory has released a comprehensive list of products that are vulnerable to Heartbleed, those that aren't and some that may be. The networking giant has confirmed that more than two dozen-including IP phones, small cell networking products, TelePresence video conferencing systems and WebEx cloud meeting technologies-are vulnerable, while another three that were vulnerable have been updated to protect against the bug. Company officials are still investigating more than 80 other systems, from network switches and routers to firewalls, digital media players, wireless LAN products, communications software, video conferencing equipment and encoders.


'The impact of this vulnerability on Cisco products varies depending on the affected product,' the company said in the advisory, which is regularly being updated. 'Successful exploitation of the vulnerability may cause portions of memory from a client or server to be disclosed. Note that the disclosed portions of memory could potentially include sensitive information such as private keys.' In their own advisory, Juniper officials said the company had nine products impacted by the Heartbleed bug, including some versions of its virtual private network products, Junos operating system and Junos Pulse security software. The company is continuing to release patches to update the products and protect them against Heartbleed. The company also listed the products not vulnerable to the exploit. 'At Juniper, several product teams worked round the clock to ensure that customers get updates on highest priority,' Ajay Bharadwaj, product manager for mobile security at Juniper, wrote in an April 9 post on the company blog.


Comments

Post a Comment

Popular posts from this blog

5 Reasons iPhone 6 Won't Be Popular

Image
The majority of users are waiting for the next smartphone from Apple - iPhone 6 – this year. Unfortunately, the hype around iPhone began to gradually subside with each passing year after the 4th model launched. Therefore, it is possible that the sixth iPhone model of  will not be nearly as popular as it was in the beginning. Global audience perceived iPhone 4S and iPhone 5 much cooler than its early models New iPhones will not cause that “wow”-effect, which was in the beginning, when Steve Jobs' presentations caused a delight and admiration of every new Apple gadget. Some leaked photos of iPhone 5S prototype show that it does not differ from its predecessor at all. Therefore, all hopes for something radically new in design and features are laid on iPhone 6. And if Apple is no longer holds its standards, that seem to be a little bit old-fashioned already, it is unlikely that iPhone 6 will be interesting for people next year. 5 main reasons can be found to think like
Read more

Eset nod32 ativirus 6 free usernames and passwords

Image
                              Hi friends,after little long time I'm going to write again about eset nod 32 antivirus.As I told in previous post if you are user on windows 8 Eset nod 32 is the best antivirus for your personal computer.the latest product eset nod 32 antivirus 6 has special features with 100% really working.Not need to purchase full version from buying it.Download the eset nod 32 trial version and activate your est antivirus from below updated usernames and passwords. Firstly I would like to tell something about est nod32 antivirus 6. The latest product having: Eset smarter scan  Scan while downloading something Anti-Theft Idle-state scanning Clean and safe E-mail Removable media security system tools         Download Eset nod32 antivirus 6 Trial version Here     After downloading Eset nod32 Antivirus activate it using below usernames and passwords. Username: EAV-30326836                                       Password: ccka4dvsuv Expire: 16-10-2013 Username:EAV-79084
Read more

Apple's self

USA TODAY Apple's self-driving car racing toward reality, report saysUSA TODAYSAN FRANCISCO - Apple's self-driving car effort, code-named Project Titan , is more reality than rumor, according to documents obtained by the British newspaper The Guardian. Engineers working for the Cupertino-based tech hardware giant met in May with ...Apple Is Getting Closer to a Self-Driving CarTIMEApple is reportedly looking at places to test its self-driving carThe VergeApple eyes former naval base in California to test 'Project Titan' self ...Apple InsiderThe Independent -Business Insider -Cult of Macall 10 news articles »
Read more