- Heartbleed affects as many as 81 Cisco devices.
- In many ways, this vulnerability is even more dire for devices than it is for generic servers.
- There appears to be no easy fix, massive recalls and/or legal action are likely.
If you work in computer security, as I have, then you're already aware of Heartbleed. In brief, it is a buffer overrun attack in OpenSSL code that allows any attacker to easily read up 64K of memory from affected devices with a simple SSL ping. It would be very hard to overstate the severity of this bug, and one of the hardest hit companies appears to be Cisco Systems (NASDAQ:CSCO). As many as 81 of Cisco's switches, routers and firewalls may be affected and the vulnerability has already been confirmed in 16 of them.
While some commentators have argued that the vulnerability is less important for devices such as switches and routers than it is for full-on servers, the opposite is actually true for two reasons. First, these devices typically have less memory, and more predictable configurations, so it becomes relatively easier to use the vulnerability get the memory dumps a hacker is looking for (typically SSL keys). Secondly, pretty much all of these devices can be remotely managed, and many are typically the first line of defense against hackers; to have them under unfriendly control is simply not an option.
Furthermore, initial reports appear to indicate that the affected code is NOT in firmware that can simply be updated. Therefore, the devices will probably need to be decommissioned entirely, whereas servers can simply update their code base and regenerate their keys. A representative from Juniper Networks (NYSE:JNPR), another vendor which has only one affected device, said, "It doesn't sound like a flip the switch sort of thing, I don't know how quickly they can be resolved." Bruce Schneier, probably the most well-known security expert out there, is quoted by the Wall Street Journal as saying, "The upgrade path is going to involve a trash can, a credit card, and a trip to Best Buy."
The problem with even that theory is that many of the devices currently on store shelves are probably also affected by the bug and would need to be recalled. Given that the underlying OpenSSL bug was introduced about 2 years ago, many of the affected devices may still be under warranty. Furthermore, many of the devices are the sorts only used by telecommunications firms and hosting companies and other businesses, which adds even greater liability. George Kurtz, chief executive of CrowdStrike, says "It's one thing to get all of these servers at Yahoo (NASDAQ:YHOO), Google (NASDAQ:GOOG) and everyone else fixed, but it's a whole other thing to get these embedded devices fixed up. I don't see them getting updated any time soon."
What Cisco's material response to this issue will be remains to be seen, but investors can be sure of two things: the liability is VERY substantial and the Cisco will be living this down, both financially and in terms of reputation, for years to come. If Cisco wants to preserve any goodwill with customers, it should offer an upgrade path for all affected devices at its own cost, but doubtless that will depend on an internal cost analysis. If management choose to do so only on a limited basis, expect others to contest that decision. Cisco is no stranger to security vulnerabilities; at the end of last year it was revealed that many of their devices have back doors which can be exploited by the NSA, and therefore others. If investors and customers realize the true magnitude of the problem, it could easily be enough to derail the company's comeback and send CSCO stock back into the teens.