|
[Equip] Heartbleed Bug Found in Cisco Routers, Juniper GearFrom the WSJ.... You might hit the paywall....» online.wsj.com/news/arti ··· 641,1009Heartbleed Bug Found in Cisco Routers, Juniper Gear The encryption bug that has the Internet on high alert also affects the equipment that connects the Web. Cisco Systems and Juniper Networks, two of the largest manufacturers of network equipment, said that some of their products contain the Heartbleed bug, meaning hackers might be able to capture user names, passwords and other sensitive information as it moves across corporate networks, home networks and the Internet. Many websitesincluding those run by Yahoo, Amazon.com and Netflixquickly fixed the hole after it was disclosed Monday. But Cisco and Juniper said the security flaw affects routers, switches and firewalls used in businesses and at home. These devices likely will be more difficult to fix. The process involves more steps and businesses are less likely to check the status of network equipment, security experts said. |
|
train_wreckslow this bird down join:2013-10-04 Antioch, TN Cisco ASA 5506 Cisco DPC3939
|
said by YukonHawk:These devices absolutely will be more difficult to fix. The process involves more steps and businesses are never likely to check the status of network equipment, security experts said. :) in all seriousness, i worry most about the several-year-old+ consumer routers sitting in front of thousands to millions of home networks. how much old forgotten networking gear will be laying around vulnerable? |
|
|
AnonPoster1 to YukonHawk
Anon
2014-Apr-10 10:24 pm
to YukonHawk
Thinking along those same lines, would devices such as cable & DSL modems be vulnerable too? |
|
JohkalCool Cat MVM join:2002-11-13 Pennsyltucky |
to YukonHawk
|
|
1 recommendation |
Thanks Johkal. I meant to come back and provide another source without the pay wall. |
|
JohkalCool Cat MVM join:2002-11-13 Pennsyltucky |
Johkal
MVM
2014-Apr-11 11:13 am
IT sent that one to me earlier today & looked like a good list. |
|
NetFixerFrom My Cold Dead Hands Premium Member join:2004-06-24 The Boro Netgear CM500 Pace 5268AC TRENDnet TEW-829DRU
|
to train_wreck
said by train_wreck:said by YukonHawk:These devices absolutely will be more difficult to fix. The process involves more steps and businesses are never likely to check the status of network equipment, security experts said. :) in all seriousness, i worry most about the several-year-old+ consumer routers sitting in front of thousands to millions of home networks. how much old forgotten networking gear will be laying around vulnerable? Perhaps less than you might think. I just checked all of the active devices on my network, and the newest version of OpenSSL that I found being used was 0.9.8 which does not implement the vulnerable heartbeat code (that was implemented in version 1.0.1). The open source code used as the base for most resi/soho devices is usually far from up to date. As an example, the firmware in my SB6121 (with a firmware release date of Oct, 2012), uses OpenSSL 0.9.8 because even new firmware releases most often are only rewrites of specific code for that device, not rewrites (or upgrades) of the much older generic Linux/BSD base code. |
|
train_wreckslow this bird down join:2013-10-04 Antioch, TN |
interesting, so it's probably only the more recent stuff that would be vulnerable (~last year or so |
|
NetFixerFrom My Cold Dead Hands Premium Member join:2004-06-24 The Boro Netgear CM500 Pace 5268AC TRENDnet TEW-829DRU
|
NetFixer
Premium Member
2014-Apr-11 3:24 pm
said by train_wreck:interesting, so it's probably only the more recent stuff that would be vulnerable (~last year or so And also probably mostly enterprise grade equipment. Linksys for example, has already made a public announcement that none of their residential grade equipment has the vulnerability. |
|
DarkLogixTexan and Proud Premium Member join:2008-10-23 Baytown, TX |
to train_wreck
said by train_wreck:said by YukonHawk:These devices absolutely will be more difficult to fix. The process involves more steps and businesses are never likely to check the status of network equipment, security experts said. :) in all seriousness, i worry most about the several-year-old+ consumer routers sitting in front of thousands to millions of home networks. how much old forgotten networking gear will be laying around vulnerable? Well honestly the bug just makes the device spit out 64k of data from its memory (read random data) so what might be on the ram of some consumer router? |
|
DarkLogix |
to NetFixer
said by NetFixer:0.9.8 which does not implement the vulnerable heartbeat code (that was implemented in version 1.0.1 only affected are 1.0.1 through 1.0.1f, 1.0.1g is good 1.0.2beta is also affected but a revision of 1.0.2beta has been released. |
|
DarkLogix |
to train_wreck
said by train_wreck:interesting, so it's probably only the more recent stuff that would be vulnerable (~last year or so 1.0.1-1.0.1f covers the last 2 years from my reading that don't mean that a device from that timeframe would have that code but that that rev of code was available. |
|