Heartbleed: routers and phones also at risk, says security expert

OpenSSL Heartbeat Extension Vulnerability in Multiple Cisco Products

Cisco Security
But many users will not apply the updates, warns Lieberman. One of the attacks that the Heartbleed vulnerability allows is theft of the private key for SSL, allowing an attacker to decrypt intercepted messages or impersonate the site. The industry's collective response to the crisis was the Core Infrastructure Initiative , a multimillion-dollar project announced by the Linux Foundation on April 24, to provide funds to critical elements of the global information infrastructure. A Flaw Missed by the Masses". Most of the products on the list relate to Cisco collaboration products such as IP telephones and communications servers.

Navigation menu

Heartbleed bug also affects Cisco, Juniper equipment

Some manufacturers have confirmed that their devices are not affected. Belkin says that its routers, as well as those of its Linksys subsidiary, are safe: But others are not so lucky.

Networking giant Cisco has confirmed that a number of its products are vulnerable, including desktop phones, video conferencing hardware and VPN software. It is investigating a further 83 products for potential vulnerabilities. Neither Netgear nor BT returned requests for comment, and have not spoken publicly about whether or not their devices are vulnerable. For affected devices, operators are slowly releasing patches, which must be downloaded and installed.

But many users will not apply the updates, warns Lieberman. Other security tools have added support for finding this bug. For example, Tenable Network Security wrote a plugin for its Nessus vulnerability scanner that can scan for this fault. Sourcefire has released Snort rules to detect Heartbleed attack traffic and possible Heartbleed response traffic.

OpenSSL can be used either as a standalone program, a dynamic shared object , or a statically-linked library ; therefore, the updating process can require restarting processes loaded with a vulnerable version of OpenSSL as well as re-linking programs and libraries that linked it statically.

In practice this means updating packages that link OpenSSL statically, and restarting running programs to remove the in-memory copy of the old, vulnerable OpenSSL code. After the vulnerability is patched, server administrators must address the potential breach of confidentiality.

Because Heartbleed allowed attackers to disclose private keys , they must be treated as compromised; keypairs must be regenerated, and certificates that use them must be reissued; the old certificates must be revoked. Heartbleed also had the potential to allow disclosure of other in-memory secrets; therefore, other authentication material such as passwords should also be regenerated. It is rarely possible to confirm that a system which was affected has not been compromised, or to determine whether a specific piece of information was leaked.

Since it is difficult or impossible to determine when a credential might have been compromised and how it might have been used by an attacker, certain systems may warrant additional remediation work even after patching the vulnerability and replacing credentials. For example, signatures made by keys that were in use with a vulnerable OpenSSL version might well have been made by an attacker; this raises the possibility integrity has been violated, and opens signatures to repudiation.

Validation of signatures and the legitimacy of other authentications made with a potentially compromised key such as client certificate use must be done with regard to the specific system involved. Since Heartbleed threatened the privacy of private keys, users of a website which was compromised could continue to suffer from Heartbleed's effects until their browser is made aware of the certificate revocation or the compromised certificate expires.

Wheeler 's paper How to Prevent the next Heartbleed analyzes why Heartbleed wasn't discovered earlier, and suggests several techniques which could have led to a faster identification, as well as techniques which could have reduced its impact. According to Wheeler, the most efficient technique which could have prevented Heartbleed is a test suite thoroughly performing robustness testing , i.

Wheeler highlights that a single general-purpose test suite could serve as a base for all TLS implementations. According to an article on The Conversation written by Robert Merkel, Heartbleed revealed a massive failure of risk analysis. Merkel thinks OpenSSL gives more importance to performance than to security, which no longer makes sense in his opinion. Merkel explains that two aspects determine the risk that more similar bugs will cause vulnerabilities.

One, the library's source code influences the risk of writing bugs with such an impact. Secondly, OpenSSL's processes affect the chances of catching bugs quickly. On the first aspect, Merkel mentions the use of the C programming language as one risk factor which favored Heartbleed's appearance, echoing Wheeler's analysis.

The author of the change which introduced Heartbleed, Robin Seggelmann, [] stated that he missed validating a variable containing a length and denied any intention to submit a flawed implementation. Think about it, OpenSSL only has two [fulltime] people to write, maintain, test, and review , lines of business critical code. The OpenSSL foundation's president, Steve Marquess, said "The mystery is not that a few overworked volunteers missed this bug; the mystery is why it hasn't happened more often.

Wheeler described audits as an excellent way to find vulnerabilities in typical cases, but noted that "OpenSSL uses unnecessarily complex structures, which makes it harder to both humans and machines to review. There should be a continuous effort to simplify the code, because otherwise just adding capabilities will slowly increase the software complexity. The code should be refactored over time to make it simple and clear, not just constantly add new features.

LibreSSL made a big code cleanup, removing more than 90, lines of C code just in its first week. According to security researcher Dan Kaminsky , Heartbleed is sign of an economic problem which needs to be fixed. Seeing the time taken to catch this simple error in a simple feature from a "critical" dependency, Kaminsky fears numerous future vulnerabilities if nothing is done. When Heartbleed was discovered, OpenSSL was maintained by a handful of volunteers, only one of whom worked full-time.

Paul Chiusano suggested Heartbleed may have resulted from failed software economics. The industry's collective response to the crisis was the Core Infrastructure Initiative , a multimillion-dollar project announced by the Linux Foundation on April 24, to provide funds to critical elements of the global information infrastructure.

After the discovery Google established Project Zero which is tasked with finding zero-day vulnerabilities to help secure the Web and society. From Wikipedia, the free encyclopedia. For other uses, see Heartbleed disambiguation. Retrieved February 8, Retrieved November 24, Common Vulnerabilities and Exposures. It's dangerous to go alone.

Take this an AVG tool ". The Sydney Morning Herald. Retrieved April 12, Retrieved November 25, Retrieved April 13, A Flaw Missed by the Masses". Retrieved April 14, Retrieved April 10, Retrieved April 24, Retrieved 11 September Retrieved 4 November Archived from the original on April 12, Retrieved October 7, Check which sites have been patched".

The default is , and some people set it as low as 1 or 2. Play with it to see what works best on your network but never set it to 0. For many owners of this router, this can provide a dramatic improvement in wireless speeds. To create your speed-optimization startup script, copy and paste the following lines into the Command Shell text area:. Note a couple of things. Finally, keep in mind that if you make any changes to the wireless settings channel, channel width, etc. For most users, stop here and enjoy your fast router.

For the hardcore, or for those feeling brave, you may want to consider experimenting with overclocking your E I welcome your feedback, including suggestions for improvement or alternate settings that work for you, in the comments below. But I often receive questions as to whether the Linux 3. If you decide to try out the K3. But unless you know how to recover a bricked router, I recommend that you do not experiment with these builds until you have confirmed their stability via the DD-WRT forums, or this blog post which I do keep updated.

I ran and recommended this build for a long time with much success. Even for the extremely ungeeky, having WiFi available throughout your house is pretty much standard these days. View the code on Gist.

Access Point only mode in Provo, UT. More from this site: Do they Really Work?

Share your voice

We are aware of the Heartbleed OpenSSL vulnerability, however after thorough testing of our product lines, we can confirm that our routers are not impacted. Linksys routers do use OpenSSL, however our product line uses another version that is . Linksys is aware of the Heartbleed OpenSSL vulnerability. However, after thorough testing of our product lines, we can confirm that our routers are NOT impacted. Linksys routers do use OpenSSL, however, our product line uses another version that is . Cisco Event Response: OpenSSL Heartbleed Vulnerability CVE Threat Summary: April 22, This information has been produced in reference to the recent OpenSSL Heartbleed vulnerability that has been made public at xlusive.ml