Published April 11, 2014
Network equipment makers are warning customers that a bug found in a widely-used Internet encryption tool also affects some of their products.
Cyber-security researchers recently uncovered the security flaw, nicknamed Heartbleed, in certain versions of OpenSSL software, which many websites use to encrypt web communications. Through the vulnerability, hackers can retrieve usernames, passwords and credit card numbers from data stored on a server’s memory.
Now Cisco Systems (CSCO) and Juniper Networks (JNPR), two of the biggest companies making network equipment, are working on fixes for their Internet gear. Both companies published a list of products and software that contain the bug.
According to a security alert from Cisco, the company has confirmed many of its routers, switches and wireless access points are safe from Heartbleed. Cisco said it is in the process of investigating its full product line.
Juniper is telling customers that certain versions of its Junos Pulse security app and other clients are vulnerable. The company started issuing patches for some versions of its virtual private network (VPN) software earlier this week.
“We are working around the clock to provide fixed versions of code for our affected products,” Juniper said in a memo on its website.
Linksys, a manufacturer of routers and other gear, tested its product lines and found no vulnerabilities, according to a message posted on the company’s support website. A spokesperson for parent company Belkin confirmed that its products aren't vulnerable to Heartbleed.
The U.S. Department of Homeland Security has sounded the alarm over Heartbleed, telling system administrators to consider implementing Perfect Forward Secrecy. The protocol is used to prevent Internet communications from being compromised by future breaches.
Larry Zelvin, director of the agency’s National Cybersecurity and Communications Integration Center, said web users should keep a close eye on email and bank accounts for suspicious activity.
“While there have not been any reported attacks or malicious incidents involving this particular vulnerability at this time, it is still possible that malicious actors in cyberspace could exploit un-patched systems,” Zelvin wrote in a blog post on Friday.