dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
1198

YukonHawk
join:2001-01-07
Patterson, NY

YukonHawk

Member

[Equip] Heartbleed Bug Found in Cisco Routers, Juniper Gear

From the WSJ....
You might hit the paywall....»online.wsj.com/news/arti ··· 641,1009

Heartbleed Bug Found in Cisco Routers, Juniper Gear

The encryption bug that has the Internet on high alert also affects the equipment that connects the Web.

Cisco Systems and Juniper Networks, two of the largest manufacturers of network equipment, said that some of their products contain the “Heartbleed” bug, meaning hackers might be able to capture user names, passwords and other sensitive information as it moves across corporate networks, home networks and the Internet.

Many websites—including those run by Yahoo, Amazon.com and Netflix—quickly fixed the hole after it was disclosed Monday. But Cisco and Juniper said the security flaw affects routers, switches and firewalls used in businesses and at home.

These devices likely will be more difficult to fix. The process involves more steps and businesses are less likely to check the status of network equipment, security experts said.

train_wreck
slow this bird down
join:2013-10-04
Antioch, TN
Cisco ASA 5506
Cisco DPC3939

train_wreck

Member

said by YukonHawk:

These devices absolutely will be more difficult to fix. The process involves more steps and businesses are never likely to check the status of network equipment, security experts said.

:)

in all seriousness, i worry most about the several-year-old+ consumer routers sitting in front of thousands to millions of home networks. how much old forgotten networking gear will be laying around vulnerable?

AnonPoster1
@comcast.net

AnonPoster1 to YukonHawk

Anon

to YukonHawk
Thinking along those same lines, would devices such as cable & DSL modems be vulnerable too?

Johkal
Cool Cat
MVM
join:2002-11-13
Pennsyltucky

Johkal to YukonHawk

MVM

to YukonHawk
»mashable.com/2014/04/09/ ··· bjMwMyJ9

YukonHawk
join:2001-01-07
Patterson, NY

1 recommendation

YukonHawk

Member

Thanks Johkal. I meant to come back and provide another source without the pay wall.

Johkal
Cool Cat
MVM
join:2002-11-13
Pennsyltucky

Johkal

MVM

IT sent that one to me earlier today & looked like a good list.

NetFixer
From My Cold Dead Hands
Premium Member
join:2004-06-24
The Boro
Netgear CM500
Pace 5268AC
TRENDnet TEW-829DRU

NetFixer to train_wreck

Premium Member

to train_wreck
said by train_wreck:

said by YukonHawk:

These devices absolutely will be more difficult to fix. The process involves more steps and businesses are never likely to check the status of network equipment, security experts said.

:)

in all seriousness, i worry most about the several-year-old+ consumer routers sitting in front of thousands to millions of home networks. how much old forgotten networking gear will be laying around vulnerable?

Perhaps less than you might think. I just checked all of the active devices on my network, and the newest version of OpenSSL that I found being used was 0.9.8 which does not implement the vulnerable heartbeat code (that was implemented in version 1.0.1). The open source code used as the base for most resi/soho devices is usually far from up to date. As an example, the firmware in my SB6121 (with a firmware release date of Oct, 2012), uses OpenSSL 0.9.8 because even new firmware releases most often are only rewrites of specific code for that device, not rewrites (or upgrades) of the much older generic Linux/BSD base code.

train_wreck
slow this bird down
join:2013-10-04
Antioch, TN

train_wreck

Member

interesting, so it's probably only the more recent stuff that would be vulnerable (~last year or so

NetFixer
From My Cold Dead Hands
Premium Member
join:2004-06-24
The Boro
Netgear CM500
Pace 5268AC
TRENDnet TEW-829DRU

NetFixer

Premium Member

said by train_wreck:

interesting, so it's probably only the more recent stuff that would be vulnerable (~last year or so

And also probably mostly enterprise grade equipment. Linksys for example, has already made a public announcement that none of their residential grade equipment has the vulnerability.

DarkLogix
Texan and Proud
Premium Member
join:2008-10-23
Baytown, TX

DarkLogix to train_wreck

Premium Member

to train_wreck
said by train_wreck:

said by YukonHawk:

These devices absolutely will be more difficult to fix. The process involves more steps and businesses are never likely to check the status of network equipment, security experts said.

:)

in all seriousness, i worry most about the several-year-old+ consumer routers sitting in front of thousands to millions of home networks. how much old forgotten networking gear will be laying around vulnerable?

Well honestly the bug just makes the device spit out 64k of data from its memory (read random data) so what might be on the ram of some consumer router?
DarkLogix

DarkLogix to NetFixer

Premium Member

to NetFixer
said by NetFixer:

0.9.8 which does not implement the vulnerable heartbeat code (that was implemented in version 1.0.1

only affected are 1.0.1 through 1.0.1f, 1.0.1g is good
1.0.2beta is also affected but a revision of 1.0.2beta has been released.
DarkLogix

DarkLogix to train_wreck

Premium Member

to train_wreck
said by train_wreck:

interesting, so it's probably only the more recent stuff that would be vulnerable (~last year or so

1.0.1-1.0.1f covers the last 2 years from my reading
that don't mean that a device from that timeframe would have that code but that that rev of code was available.