Networking suppliers Cisco and Juniper have issued security bulletins warning of some products and services that are vulnerable to data theft by exploiting the Heartbleed bug in OpenSSL.
The vulnerability is due to a missing bounds check in the handling of the Transport Layer Security (TLS) heartbeat extension.
The software bug could allow an unauthenticated, remote attacker to retrieve memory in chunks of 64KB from a connected client or server, Cisco warned.
“An exploit could allow the attacker to disclose a limited portion of memory from a connected client or server for every heartbeat packet sent. The disclosed portions of memory could contain sensitive information that may include private keys and passwords,” the Cisco security advisory said.
So far, the company has identified 11 products and two services susceptible to attack through the vulnerability. No Cisco hosted services are currently known to be affected.
A further 66 Cisco products are under investigation to see if they are affected by the vulnerability and the potential impact if they are.
“Other Cisco products may be affected by this vulnerability. The list of affected products will be updated as the investigation continues,” the Cisco advisory said.
Cisco’s IOS XE operating system for network hardware is one of the higher-profile products on the list of affected products.
The company has already patched the two vulnerable services identified so far: Cisco’s Registered Envelope Service (CRES) and Webex Messenger Service.
Most of the products on Cisco’s list are connected to the company’s collaboration products, and include IP telephones, communications servers and messaging systems.
A pair of Juniper advisories listed various products as vulnerable, including those based on Junos OS 13.3R1 and the Odyssey client 5.6r5 and later.
“It doesn’t sound like a ‘flip the switch’ sort of thing,” Juniper spokesperson Corey Olfert told the Wall Street Journal. “I don’t know how quickly they can be resolved.”
Heartbleed security challenge
The severity of the Heartbleed flaw makes it likely to present a greater challenge than most other bugs that are regularly patched by suppliers, said Peter Allwood, senior manager at Deloitte.
Organisations concerned they may have been affected should be following an established vulnerability management process to apply security patches to affected systems, he said.
But organisations may also need to revoke compromised certificates and create new encryption keys and certificates, he added.
“They should also be giving users advice about their response to the bug and any steps users should take to remain secure,” said Allwood.
“Heartbleed is a reminder to all organisations that it is important to have good security practices applied across the systems development lifecycle. This is crucial when trying to avoid the subsequent fallout that a bug like Heartbleed can cause,” he said.
Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Related content from ComputerWeekly.com
RELATED CONTENT FROM THE TECHTARGET NETWORK