The Heartbleed Bug, a flaw in OpenSSL that would let attackers eavesdrop on Web, e-mail and some VPN communications, is a vulnerability that can be found not just in servers using it but also in network gear from Cisco and Juniper Networks. Both vendors say there's still a lot they are investigating about how Heartbleed impacts their products, and to expect updated advisories on a rolling basis.
"Expect a product by product advisory about vulnerabilities," says Cisco spokesman Nigel Glennie, explaining that Cisco engineers are evaluating which Cisco products use the flawed versions of OpenSSL that may need a patch though not all necessarily will. That's because Cisco believes it's a specific feature in OpenSSL that is at the heart of the Heartbleed vulnerability and that it's not always turned on in products.
So far, Cisco has carved out a list of about a dozen products listed as confirmed "vulnerable" to exploits based on the Heartbleed Bug, plus another list of over 60 products considered "affected" because of OpenSSL but still being investigated. About two dozen products have been confirmed to be "not vulnerable," as well as the hosted Cisco service called Cisco Meraki Dashboard. Cisco also says its Webex service was vulnerable to the Heartbleed Bug but has been fixed.
This long list made by Cisco is subject to change and updates and at any moment, no specific software security updates have been made available, though could change at any time. Although the open-source OpenSSL group has issued software updates to patch the Heartbleed flaw, Cisco notes the appropriate process for Cisco products relies on Cisco evaluation and patch updates directly from Cisco.
The Heartbleed Bug is a vulnerability that appears to have existed in OpenSSL for about two years due to a simple coding mistake recently discovered by Google and Codenomicon security researchers and disclosed on Monday.
Cisco found out about the Heartbleed Bug at the same time as everyone else did when the OpenSSL site went public with the information, Glennie notes. Heartbleed is resulting in a staggering amount of ongoing work by Cisco engineers to determine its impact on Cisco gear.
Some security experts, including cryptography expert Bruce Schneier, are describing the Heartbleed Bug as a catastrophic' flaw because the vulnerable version of OpenSSL can be exploited by savvy attackers to eavesdrop on passwords or steal encryption certificates and keys. Cisco, though, says right now it's giving Heartbleed a middle-range score on its severity rating scale in terms of Cisco products, noting that might rise in some cases based on specific ways any vulnerable versions of OpenSSL are used in Cisco products.