Seeking Alpha

Cisco, Juniper find "Heartbleed" security hole in products

  • Cisco (CSCO) and Juniper Networks (JNPR) have found the "Heartbleed" encryption flaw in some of their products, including routers, switches, servers, and firewalls.
  • The ubiquitous nature of the products makes the bug harder to eliminate, and hackers may be able to steal sensitive data such as passwords and credit-card information as it travels across networks.
  • Cisco is investigating 65 products and has confirmed 16 as being vulnerable.
  • Juniper's VP of Corporate Communications, Michael Busselen, said the exposure for customers "is minimal," as the problem affected only one product. However, spokesman Corey Olfert warned that updating Juniper equipment could take a while. "It doesn't sound like a flip the switch sort of thing," said Olfert. "I don't know how quickly they can be resolved."
  • Meanwhile, Intel (INTC) was still working on a patch for its McAfee security products as of yesterday.
  • Vulnerable Cisco products.
From other sites
Comments (11)
  • samuel_liu
    , contributor
    Comments (2798) | Send Message
     
    http://on.recode.net/1...
    11 Apr, 05:27 AM Reply Like
  • JD in NJ
    , contributor
    Comments (981) | Send Message
     
    I understand that switches, routers, and other networking products may be vulnerable to this particular attack, but I wonder how much of a problem that really is.

     

    Heartbleed is so dangerous as an attack on servers because it is a silent way of obtaining raw memory dumps from them. Even very well designed and built applications that make users log in have to have the users' passwords in memory for at least a short period of time.

     

    Intermediate network hardware though, is not really in the business of decrypting packets. They should just be shuffling encrypted data around without caring too much about the contents. So a memory dump from one of these should be far less useful to a hacker than one from an actual server.
    11 Apr, 06:07 AM Reply Like
  • Esekla
    , contributor
    Comments (3125) | Send Message
     
    Incorrect! These devices are remote manageable and there have been confirmed instances of being able to gain SSL keys via the heartbleed attack. Are you really saying that a hacker being able to gain control of your switch or router is not a big deal? Furthermore, if the affected code is not in firmware that can be updated then this is potentially equivalent to GM having to recall most of the cars they've ever made.
    11 Apr, 10:01 AM Reply Like
  • JD in NJ
    , contributor
    Comments (981) | Send Message
     
    That's a good point on the keys, I had not considered that.
    11 Apr, 10:03 AM Reply Like
  • techy46
    , contributor
    Comments (6288) | Send Message
     
    A really good reason to be very suspicious of using any open software especially in mission critical enterprise applications. Microsoft's software is not affected but Linux running in Azure may be.
    11 Apr, 11:25 AM Reply Like
  • JD in NJ
    , contributor
    Comments (981) | Send Message
     
    You're not suggesting the closed-source has been immune to such security risks, are you? Just because this particular risk is in an open source library is no reason to throw out the baby with the bathwater.

     

    What this really indicates is that the most dangerous thing is monoculture. Some systems, at least, are always immune to the newest threat, as long as there are different code bases out there doing things in different ways.
    11 Apr, 12:00 PM Reply Like
  • Esekla
    , contributor
    Comments (3125) | Send Message
     
    Yes, my upcoming article on the situation cites worse vulnerabilities from the closed source portions of Cisco (and other products).
    11 Apr, 12:29 PM Reply Like
  • MattZN2
    , contributor
    Comments (781) | Send Message
     
    That's a hilarious comment considering that Microsoft software has had a continuous, never-ending stream of security vulnerabilities from the day the first Windows box got internet access. It shows a major lack of understanding of what open source is, where it came from, and how it is used... in fact, it shows a major lack of understanding of what the *internet* is.

     

    Do you think a bunch of commercial companies magically constructed thousands of major networking and protocol standards and code out of thin air? That's all open-source, buddy, and existed long before the general public became aware of 'the internet'. Every commercial product in the world contains massive amounts of open-source code, right down to the languages and compilers most programmers use in their daily lives.

     

    -Matt
    11 Apr, 01:59 PM Reply Like
  • dbc2017
    , contributor
    Comments (4) | Send Message
     
    We sure did a good job of letting hackers know of a security hole. Might we have waited till it was plugged first? I don't know enough about OpenSSL but seems we are our own worst enemies
    12 Apr, 05:18 PM Reply Like
  • Esekla
    , contributor
    Comments (3125) | Send Message
     
    Hardly. The bug in OpenSSL was fixed immediately. The problem is that proprietary companies often do not work well with the Open Source initiatives that they benefit from. My servers automatically knew about and fixed the OpenSSL code. I doubt the same is true for devices from companies that use the code.
    13 Apr, 04:05 AM Reply Like
  • Stock Market Mike
    , contributor
    Comments (2274) | Send Message
     
    I had my stuff patched within 24 hours. It's scary how long it will take to patch a lot of Cisco equipment. A lot simply can't be, and must be replaced.

     

    -Mike
    13 Apr, 02:19 PM Reply Like
DJIA (DIA) S&P 500 (SPY)
ETF Tools
Find the right ETFs for your portfolio:
Seeking Alpha's new ETF Hub
ETF Investment Guide:
Table of Contents | One Page Summary
Read about different ETF Asset Classes:
ETF Selector