Networking suppliers Cisco and Juniper have issued security bulletins warning of some products and services that are vulnerable to data theft by exploiting the Heartbleed bug in OpenSSL.
The vulnerability is due to a missing bounds check in the handling of the Transport Layer Security (TLS) heartbeat extension.
The software bug could allow an unauthenticated, remote attacker to retrieve memory in chunks of 64KB from a connected client or server, Cisco warned.
“An exploit could allow the attacker to disclose a limited portion of memory from a connected client or server for every heartbeat packet sent. The disclosed portions of memory could contain sensitive information that may include private keys and passwords,” the Cisco security advisory said.
So far, the company has identified 11 products and two services susceptible to attack through the vulnerability. No Cisco hosted services are currently known to be affected.
Cisco Products affected by Heartbleed
- Cisco AnyConnect Secure Mobility Client for iOS
- Cisco Desktop Collaboration Experience DX650
- Cisco Unified 7800 series IP Phones
- Cisco Unified 8961 IP Phone
- Cisco Unified 9951 IP Phone
- Cisco Unified 9971 IP Phone
- Cisco TelePresence Video Communication Server (VCS)
- Cisco IOS XE
- Cisco UCS B-Series (Blade) Servers
- Cisco UCS C-Series (Stand alone Rack) Servers
- Cisco Unified Communication Manager (UCM) 10.0
A further 66 Cisco products are under investigation to see if they are affected by the vulnerability and the potential impact if they are.
“Other Cisco products may be affected by this vulnerability. The list of affected products will be updated as the investigation continues,” the Cisco advisory said.
Cisco’s IOS XE operating system for network hardware is one of the higher-profile products on the list of affected products.
The company has already patched the two vulnerable services identified so far: Cisco’s Registered Envelope Service (CRES) and Webex Messenger Service.
Most of the products on Cisco's list are connected to the company’s collaboration products, and include IP telephones, communications servers and messaging systems.
"It doesn't sound like a 'flip the switch' sort of thing," Juniper spokesperson Corey Olfert told the Wall Street Journal. "I don't know how quickly they can be resolved."
Heartbleed security challenge
The severity of the Heartbleed flaw makes it likely to present a greater challenge than most other bugs that are regularly patched by suppliers, said Peter Allwood, senior manager at Deloitte.
More on Heartbleed
- The Heartbleed genie is out of the bottle – now what?
- EFF calls for rapid mitigation of Heartbleed internet bug
- 'Heartbleed' OpenSSL vulnerability: A slow-motion train wreck
- OpenSSL security flaw could affect millions of websites, warn researchers
Organisations concerned they may have been affected should be following an established vulnerability management process to apply security patches to affected systems, he said.
But organisations may also need to revoke compromised certificates and create new encryption keys and certificates, he added.
“They should also be giving users advice about their response to the bug and any steps users should take to remain secure,” said Allwood.
“Heartbleed is a reminder to all organisations that it is important to have good security practices applied across the systems development lifecycle. This is crucial when trying to avoid the subsequent fallout that a bug like Heartbleed can cause,” he said.