Heartbleed Bug Discovered In Cisco, Juniper Gear


The Heartbleed bug, a vulnerability within the OpenSSL encryption protocol that has put system administrators on alert and Internet users on edge this week, was discovered in networking gear from Cisco Systems and Juniper Networks.

Both companies Thursday issued advisories, identifying affected products and those still being investigated for the bug. The threat posed by Heartbleed being present in routers, switches and other networking gear is that hackers could intercept passwords, user names and other sensitive information as they cross the corporate network.   

Cisco, for its part, identified 16 affected products, including three lines of Cisco IP phones, TelePresence Video Communication Server, Mobility Service Engine, WebEx Meeting Server versions 2.x and MS200X Ethernet Switch.

[Related: Heartbleed Havoc: 10 Passwords You Need To Change Right Now]

The company also listed more than 60 products that are still being investigated for the bug but said none of its hosted services have been impacted.

Cisco did not respond to CRN's request for comment by press time, but said in the advisory that it will continue to update its list of impacted products as more information becomes available and will release free software updates to address the issue.

Juniper, meanwhile, identified eight products found to be vulnerable. These include Junos OS 13.3R1, along with certain versions of Juniper Network Connect, Junos Pulse and Odyssey clients versions 5.6r5 and later.

Juniper's SSL VPN software also was impacted, but the company issued a patch for that product Tuesday, a Juniper spokesperson told CRN.

Juniper, like Cisco, said it will continue to update its list as more information comes to light.

"We encourage our customers to contact Juniper's Customer Support Center for detailed advisories and product updates," the Juniper spokesperson wrote in an email. "We work with customers running vulnerable products very closely to ensure they take the appropriate steps we have identified and deploy any necessary updates or mitigations in a timely manner."

According to a report from security systems integrator Accuvant, other vendors, including F5 Networks, Red Hat, Infoblox and Check Point Software Technologies, have known vulnerable products. ​

Dominic Grillo, executive vice president of Atrion Communication Resources, a Branchburg, N.J.-based solution provider and Juniper partner, said Atrion has received lots of customer inquiries about Heartbleed over the past few days, but noted that vendor partners such as Juniper have responded in a timely manner with fixes.

"Juniper has been pretty quick to release patches or upgrades for their affected products and has been continually updating their security advisories as new information is available. We've been using the advisory information to answer customers' inquiries," Grillo wrote in an email to CRN. "Obviously, Heartbleed is affecting far more than just Juniper so we've had customers ask about other vendor technologies as well. It seems as if the vendors and the security community at large have been fairly quick and coordinated in their efforts to patch Heartbleed (OpenSSL) issues."

Grillo added that it's "pretty scary" how far-ranging the impacts of Heartbleed could be, and said he is personally avoiding any banking sites or https sites for a few days as a precaution.

Mark Robinson, president of CentraComm, a Findlay, Ohio-based solution provider and Juniper partner, also said he is seeing a lot of customers come forward with questions about Heartbleed.

"I think it is a pretty widespread thing and it seems to be an evolving situation. I think people and companies and partners still don't exactly know the extent of this," Robinson said. "I think they understand what the actual bug is, but I think in terms of what's been compromised, a lot of people are still trying to figure out."

For now, Robinson said CentraComm's strategy is to communicate with its customers as much as possible, keeping them updated as more information becomes available. To do that, he said CentraComm has created a customer-facing portal, listing all of its vendor partners, and their products, that have been affected.

"Really, we are just trying to be as proactive as we can," Robinson said.

The Heartbleed bug is a vulnerability that threatens the open-source protocol OpenSSL, which is used to implement SSL and TLS protocols for encrypting Web-based email, instant messaging and other online communications services. The OpenSSL Project, which maintains OpenSSL, issued an update this week repairing the issue.

OpenSSL is a widely used protocol in networking devices, including the Apache and Nginx open-source Web servers. Earlier this week, security experts estimated the bug has impacted hundreds of thousands of servers globally, putting Internet users around the world at risk. Experts also urged users of online services ranging from Dropbox to Gmail to change their passwords.

PUBLISHED APRIL 11, 2014